From 240494abdd6f7c7c7462512891f15f7c06173ef0 Mon Sep 17 00:00:00 2001
From: "David A. Wheeler" <dwheeler@dwheeler.com>
Date: Wed, 23 Aug 2023 14:01:08 -0400
Subject: [PATCH 1/4] Add SECURITY.md file

This commit adds a SECURITY.md file, so panicked reporters
will know how to report them. Since private reporting is enabled,
I presume that's how this group wants the vulnerabilities reported.

I also tweaked the README to point to it.

Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
---
 README.md   | 5 +++++
 SECURITY.md | 8 ++++++++
 2 files changed, 13 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/README.md b/README.md
index eedd12b8..f0874284 100644
--- a/README.md
+++ b/README.md
@@ -272,3 +272,8 @@ an external contributor could potentially exploit it to extract the PAT.
 
 The only benefit of a "classic" PAT is that it can be set to never expire.
 However, we believe this does not outweigh the significantly higher risk of "classic" PATs compared to fine-grained PATs.
+
+## Reporting vulnerabilities
+
+If you find a vulnerability, please report it to us!
+See [SECURITY.md](./SECURITY.md) for more information.
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..7792ddfa
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,8 @@
+# Security
+
+If you find a significant vulnerability, or evidence of one,
+please report it privately.
+
+We prefer that you use the [GitHub mechanism for privately reporting a vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability). Under the
+[main repository's security tab](https://github.com/coreinfrastructure/best-practices-badge/security), in the left sidebar, under "Reporting", click
+Advisories, then click "Report a vulnerability" to open the advisory form.

From ac626b1025718c4e89091bc6e111b65e808d1e7a Mon Sep 17 00:00:00 2001
From: "David A. Wheeler" <dwheeler@dwheeler.com>
Date: Mon, 28 Aug 2023 11:08:12 -0400
Subject: [PATCH 2/4] Remove incorrect URL

Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
---
 SECURITY.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/SECURITY.md b/SECURITY.md
index 7792ddfa..a969d772 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -4,5 +4,5 @@ If you find a significant vulnerability, or evidence of one,
 please report it privately.
 
 We prefer that you use the [GitHub mechanism for privately reporting a vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability). Under the
-[main repository's security tab](https://github.com/coreinfrastructure/best-practices-badge/security), in the left sidebar, under "Reporting", click
+main repository's security tab, under "Reporting", click
 Advisories, then click "Report a vulnerability" to open the advisory form.

From cf64e568f864e3900e9cb25ece0e9a927d9d2f42 Mon Sep 17 00:00:00 2001
From: Spencer Schrock <sschrock@google.com>
Date: Tue, 5 Sep 2023 11:30:00 -0700
Subject: [PATCH 3/4] Add reporting vulns to table of contents.

Signed-off-by: Spencer Schrock <sschrock@google.com>
---
 README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/README.md b/README.md
index f0874284..eea5044d 100644
--- a/README.md
+++ b/README.md
@@ -33,6 +33,8 @@ ________
 - [Workflow Example](#workflow-example)
 
 ["Classic" PAT Requirements and Risks](#classic-personal-access-token-pat-requirements-and-risks)
+
+[Reporting vulnerabilities](#reporting-vulnerabilities)
 ________
 
 The following GitHub triggers are supported: `push`, `schedule` (default branch only).

From 1197f3325d7f850aae3f625adcaa4027a6cd1a82 Mon Sep 17 00:00:00 2001
From: Spencer Schrock <sschrock@google.com>
Date: Tue, 5 Sep 2023 11:30:35 -0700
Subject: [PATCH 4/4] clarify reporting instructions for non-admin.

Signed-off-by: Spencer Schrock <sschrock@google.com>
---
 SECURITY.md | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index a969d772..be466026 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -4,5 +4,4 @@ If you find a significant vulnerability, or evidence of one,
 please report it privately.
 
 We prefer that you use the [GitHub mechanism for privately reporting a vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability). Under the
-main repository's security tab, under "Reporting", click
-Advisories, then click "Report a vulnerability" to open the advisory form.
+[main repository's security tab](https://github.com/ossf/scorecard-action/security), click "Report a vulnerability" to open the advisory form.