[glib: 1/2] docs: Add a policy for handling security issues

[Philip Withnall <pwithnall src gnome org>]

commit dec66d325f485831d233630d4a82c257732a9e05
Author: Philip Withnall <pwithnall endlessos org>
Date:   Thu Mar 11 17:38:51 2021 +0000

    docs: Add a policy for handling security issues
    
    This also gives details of how to report a security issue, including the
    key point that merge requests are (unfortunately) not confidential.
    
    Heavily based on the flatpak security policy which just landed:
    https://github.com/flatpak/flatpak/blob/master/SECURITY.md
    
    Signed-off-by: Philip Withnall <pwithnall endlessos org>

 SECURITY.md | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 67 insertions(+)
---
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..4817af76c
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,67 @@
+# Security policy for GLib
+
+ * [Supported Versions](#Supported-Versions)
+ * [Reporting a Vulnerability](#Reporting-a-Vulnerability)
+ * [Security Announcements](#Security-Announcements)
+ * [Acknowledgements](#Acknowledgements)
+
+## Supported Versions
+
+Upstream GLib only supports the most recent stable release series, and the
+current development release series. Any older stable release series are no
+longer supported, although they may still receive backported security updates
+in long-term support distributions. Such support is up to the distributions,
+though.
+
+Under GLib’s versioning scheme, stable release series have an *even* minor
+component (for example, 2.66.0, 2.66.1, 2.68.3), and development release series
+have an *odd* minor component (2.67.1, 2.69.0).
+
+## Reporting a Vulnerability
+
+If you think you've identified a security issue in GLib, GObject or GIO, please
+**do not** report the issue publicly via a mailing list, IRC, a public issue on
+the GitLab issue tracker, a merge request, or any other public venue.
+
+Instead, report a
+[*confidential* issue in the GitLab issue 
tracker](https://gitlab.gnome.org/GNOME/glib/-/issues/new?issue[confidential]=1),
+with the “This issue is confidential” box checked. Please include as many
+details as possible, including a minimal reproducible example of the issue, and
+an idea of how exploitable/severe you think it is.
+
+**Do not** provide a merge request to fix the issue, as there is currently no
+way to make confidential merge requests on gitlab.gnome.org. If you have patches
+which fix the security issue, please attach them to your confidential issue as
+patch files.
+
+Confidential issues are only visible to the reporter and the GLib maintainers.
+
+As per the [GNOME security policy](https://security.gnome.org/), the next steps
+are then:
+ * The report is triaged.
+ * Code is audited to find any potential similar problems.
+ * If it is determined, in consultation with the submitter, that a CVE is
+   required, the submitter obtains one via [cveform.mitre.org](https://cveform.mitre.org/).
+ * The fix is prepared for the development branch, and for the most recent
+   stable branch.
+ * The fix is submitted to the public repository.
+ * On the day the issue and fix are made public, an announcement is made on the
+   [public channels listed below](#Security-Announcements).
+ * A new release containing the fix is issued.
+
+## Security Announcements
+
+Security announcements are made publicly via the
+[`distributor` tag on discourse.gnome.org](https://discourse.gnome.org/tag/distributor)
+and cross-posted to the
+[distributor-list](https://mail.gnome.org/mailman/listinfo/distributor-list).
+
+Announcements for security issues with wide applicability or high impact may
+additionally be made via
+[oss-security lists openwall com](https://www.openwall.com/lists/oss-security/).
+
+## Acknowledgements
+
+This text was partially based on the
+[github.com/containers security policy](https://github.com/containers/common/blob/master/SECURITY.md),
+and partially based on the [flatpak security 
policy](https://github.com/flatpak/flatpak/blob/master/SECURITY.md).