From bd88e42a9d74a947225ae3dec031fc75e10bc89c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Montgomery=20Edwards=E2=81=B4=E2=81=B4=E2=81=B8?=
 <57072051+x448@users.noreply.github.com>
Date: Fri, 20 Mar 2020 11:22:33 -0500
Subject: [PATCH] Update Security Policy (#196)

Created SECURITY.md file because GitHub automatically uses it.

The text is mostly copied from "Security Policy" section of README.md with an exception added for vulnerabilities already known to the public (to encourage easier or anonymous reporting).

Update "Security Policy" section.  Link to SECURITY.md instead of providing details in the README.
---
 README.md   | 4 ++--
 SECURITY.md | 7 +++++++
 2 files changed, 9 insertions(+), 2 deletions(-)
 create mode 100644 SECURITY.md

diff --git a/README.md b/README.md
index b03a199..863c064 100644
--- a/README.md
+++ b/README.md
@@ -954,9 +954,9 @@ This project has adopted the [Contributor Covenant Code of Conduct](CODE_OF_COND
 Please refer to [How to Contribute](CONTRIBUTING.md).
 
 ## Security Policy
-Security fixes are provided for the latest released version.
+Security fixes are provided for the latest released version of fxamacker/cbor.
 
-To report security vulnerabilities, please email [faye.github@gmail.com](mailto:faye.github@gmail.com) and allow time for the problem to be resolved before reporting it to the public.
+For the full text of the Security Policy, see [SECURITY.md](SECURITY.md).
 
 ## Disclaimers
 Phrases like "no crashes", "doesn't crash", and "is secure" mean there are no known crash bugs in the latest version based on results of unit tests and coverage-guided fuzzing.  They don't imply the software is 100% bug-free or 100% invulnerable to all known and unknown attacks.
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..9c05146
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,7 @@
+# Security Policy
+
+Security fixes are provided for the latest released version of fxamacker/cbor.
+
+If the security vulnerability is already known to the public, then you can open an issue as a bug report.
+
+To report security vulnerabilities not yet known to the public, please email faye.github@gmail.com and allow time for the problem to be resolved before reporting it to the public.