Start a security template

[benlk]

This starts the work of adding a security policy for the INN organization on GitHub, which will provide answers to people who want to report security vulnerabilities in INN's products. Resolves #6

Research

• WordPress's guidelines: https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/
• Oracle's responsible disclosure page: https://www.oracle.com/corporate/security-practices/assurance/vulnerability/reporting.html

Questions

• What email address should we send people to? Should we tell people how that email is routed if they are concerned about the chain of custody of such emails?
• What physical address should people send mail to in event they do not want to, or are unable to, send an email? (Probably the INN main office, to a specific name care of INN)
• What procedures do we need to implement on our end for the handling of security vulnerability reports? Where should we store those procedures? (INN/docs, likely)
• Should we talk about email encryption, and if so, whose keys should we tell people to use, or where can we point people to find the keys used by INN's humans?
• How should we thank people for reporting responsibly?
• Do we want to set up something like HackerOne?