Merge branch 'main' into self_test

README.md

@@ -66,6 +66,10 @@ Contributions are welcome. Before contributing, please see
 the [Code of Conduct](doc/code-of-conduct.md) and 
 [the contributing guide](doc/contributing.md).
 
+## Reporting Security Vulnerabilities
+
+Please follow the procedure described in [SECURITY.md](SECURITY.md).
+
 ## License
 
 Pinniped is open source and licensed under Apache License Version 2.0. See [LICENSE](LICENSE) file.

SECURITY.md

@@ -0,0 +1,12 @@
+# Reporting a Vulnerability
+
+Pinniped development is sponsored by VMware, and the Pinniped team encourages users 
+who become aware of a security vulnerability in Pinniped to report any potential 
+vulnerabilities found to security@vmware.com. If possible, please include a description 
+of the effects of the vulnerability, reproduction steps, and a description of in which
+version of Pinniped or its dependencies the vulnerability was discovered. 
+The use of encrypted email is encouraged. The public PGP key can be found at https://kb.vmware.com/kb/1055.
+
+The Pinniped team hopes that users encountering a new vulnerability will contact 
+us privately as it is in the best interests of our users that the Pinniped team has 
+an opportunity to investigate and confirm a suspected vulnerability before it becomes public knowledge.