Create SECURITY.md for security reporting guidelines

nearlyforget · web-flow · commit f25681bb401d · 2026-02-13T11:20:36.000-08:00
Added a security policy for reporting issues.
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,25 @@
+<!--
+   Copyright 2026 UCP Authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+-->
+
+# Security Policy
+
+To report a security issue, please use [g.co/vulnz](https://g.co/vulnz).
+
+The Google Security Team will respond within 5 working days of your report on
+g.co/vulnz.
+
+We use g.co/vulnz for our intake, and do coordination and disclosure here using
+GitHub Security Advisory to privately discuss and fix the issue.
