I've noticed that CONTRIBUTING.md points users to Facebook's bug-bounty program in case any security vulnerabilities are found in the project. Is that still the proper venue after PyTorch migrated to the Linux Foundation?

Regardless, having this information on a separate SECURITY.md file makes it much more visible for users. It'll be front and center for users who enter the project's "Security" panel, and they'll also see references to the policy in the "New issue" page.

If there's interest, I'd be happy to submit a PR with a draft policy (based on CONTRIBUTING.md or with any new information).

Disclosure: My name is Pedro and I work with Google and the Open Source Security Foundation (OpenSSF) to improve the supply-chain security of the open-source ecosystem.