SECURITY: Add SECURITY file

The SECURITY file describes the GRUB project security policy.

It is based on https://github.com/wireapp/wire/blob/master/SECURITY.md

Signed-off-by: Alex Burmashev <[email protected]>
Signed-off-by: Vladimir Serbinenko <[email protected]>
Signed-off-by: Daniel Kiper <[email protected]>

Author: Daniel Kiper

MAINTAINERS

@@ -8,6 +8,10 @@ Here is the list of current GRUB maintainers:
 
 The maintainers drive and overlook the GRUB development.
 
+If you found a security vulnerability in the GRUB please check the SECURITY
+file to get more information how to properly report this kind of bugs to
+the maintainers.
+
 The GRUB development happens on the grub-devel mailing list [1]. The latest
 GRUB source code is available at Savannah git repository [2].
 

README

@@ -9,6 +9,10 @@ GRUB 2 data and program files.
 
 See the file MAINTAINERS for information about the GRUB maintainers, etc.
 
+If you found a security vulnerability in the GRUB please check the SECURITY
+file to get more information how to properly report this kind of bugs to
+the maintainers.
+
 Please visit the official web page of GRUB 2, for more information.
 The URL is <http://www.gnu.org/software/grub/grub.html>.
 

SECURITY

@@ -0,0 +1,60 @@
+Security Policy
+===============
+
+To report a vulnerability see "Reporting a Vulnerability" below.
+
+
+Security Incident Policy
+========================
+
+Security bug reports are treated with special attention and are handled
+differently from normal bugs. In particular, security sensitive bugs are not
+handled in public but in private. Information about the bug and access to it
+is restricted to people in the security group, the individual engineers that
+work on fixing it, and any other person who needs to be involved for organisational
+reasons. The process is handled by the security team, which decides on the people
+involved in order to fix the issue. It is also guaranteed that the person reporting
+the issue has visibility into the process of fixing it. Any security issue gets
+prioritized according to its security rating. The issue is opened up to the public
+in coordination with the release schedule and the reporter.
+
+
+Disclosure Policy
+=================
+
+Everyone involved in the handling of a security issue - including the reporter -
+is required to adhere to the following policy. Any information related to
+a security issue must be treated as confidential and only shared with trusted
+partners if necessary, for example to coordinate a release or manage exposure
+of clients to the issue. No information must be disclosed to the public before
+the embargo ends. The embargo time is agreed upon by all involved parties. It
+should be as short as possible without putting any users at risk.
+
+
+Supported Versions
+==================
+
+Only the most recent version of the GRUB is supported.
+
+
+Reporting a Vulnerability
+=========================
+
+The security report should be encrypted with the PGP keys and sent to ALL email
+addresses listed below. Every vulnerability report will be assessed within
+72 hours of receiving it. If the outcome of the assessment is that the report
+describes a security issue, the report will be transferred into an issue on the
+internal vulnerability project for further processing. The reporter is updated
+on each step of the process.
+
+While there's currently no bug bounty program we appreciate every report.
+
+* Contact: Daniel Kiper <[email protected]> and
+           Daniel Kiper <[email protected]>
+* PGP Key Fingerprint: BE5C 2320 9ACD DACE B20D  B0A2 8C81 89F1 988C 2166
+
+* Contact: Alex Burmashev <[email protected]>
+* PGP Key Fingerprint: 50A4 EC06 EF7E B84D 67E0  3BB6 2AE2 C87E 28EF 2E6E
+
+* Contact: Vladimir 'phcoder' Serbinenko <[email protected]>
+* PGP Key Fingerprint: E53D 497F 3FA4 2AD8 C9B4  D1E8 35A9 3B74 E82E 4209