chore: add security warning

nicobao · nicobao · commit fabfb994fc6c · 2024-12-31T09:51:20.000+01:00
diff --git a/README.md b/README.md
@@ -73,6 +73,10 @@ We generate an `openapi-zkorum.json` file from the backend, and then use [openap
 
 Some typescript source files are shared directly without using npm packages - by copy-pasting using rsync.
 
+## Security disclosures
+
+If you discover any security issues, please send an email to security@zkorum.com. The email is automatically CCed to the entire team, and we'll respond promptly. See [SECURITY](./SECURITY.md) for more info.
+
 ## Contributing
 
 See [CONTRIBUTING.md](./CONTRIBUTING.md)
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,9 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+Please do NOT report possible security vulnerabilities in public channels such as GitHub Issues. If you believe you have found a security vulnerability, please email us at `security@zkorum.com` with a description of the issue.
+
+We will acknowledge the vulnerability as soon as possible - within 3 business days - and follow up when a fix lands. Please avoid discussing the vulnerability until we do so.
+
+With your consent, we will add you to the repository [AUTHORS](./AUTHORS) file.
