|
|
@@ -0,0 +1,35 @@
|
|
|
+<!--
|
|
|
+Part of the Carbon Language project, under the Apache License v2.0 with LLVM
|
|
|
+Exceptions. See /LICENSE for license information.
|
|
|
+SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
|
|
|
+-->
|
|
|
+
|
|
|
+# Security policy
|
|
|
+
|
|
|
+It's important to us that the Carbon Language provides a secure implementation.
|
|
|
+Thank you for taking the time to report vulnerabilities.
|
|
|
+
|
|
|
+The Carbon Language is still an
|
|
|
+[experimental project](/README.md#project-status), so please be careful if using
|
|
|
+it in security-sensitive environments.
|
|
|
+
|
|
|
+# Reporting a vulnerability
|
|
|
+
|
|
|
+Please use
|
|
|
+<https://github.com/carbon-language/carbon-lang/security/advisories/new> to
|
|
|
+report security vulnerabilities.
|
|
|
+
|
|
|
+We use GitHub's vulnerability reporting for intake. We will respond to reports
|
|
|
+within two weeks. For valid issues we will coordinate and disclose on GitHub.
|
|
|
+
|
|
|
+If you haven't received a response, a couple steps to take are (in order):
|
|
|
+
|
|
|
+1. Contact individuals directly:
|
|
|
+ - [Chandler Carruth](mailto:chandlerc@gmail.com)
|
|
|
+ - [Richard Smith](mailto:richard@metafoo.co.uk)
|
|
|
+ - [Jon Ross-Perkins](mailto:jperkins@google.com)
|
|
|
+2. Reach out on
|
|
|
+ [#infra](https://discord.com/channels/655572317891461132/707150492370862090)
|
|
|
+ on Discord ([invite](https://discord.gg/ZjVdShJDAs))
|
|
|
+ - This is a public forum, so say you're asking for a security contact
|
|
|
+ rather than talking about the security issue directly.
|
Jon Ross-Perkins