From 33a112b839788d59e3da95f8be674a42e52ba2df Mon Sep 17 00:00:00 2001
From: Wes Dean <87149725+wesley-dean-gsa@users.noreply.github.com>
Date: Mon, 29 Jul 2024 10:32:09 -0400
Subject: [PATCH] Update SECURITY.md

This adds a `Security Researchers` section from the [GSA Vulnerability Disclosure Policy](https://www.gsa.gov/vulnerability-disclosure-policy) which includes a request to keep vulnerabilities confidential for 90 days after notifying GSA.  This should satisfy Scorecard.
---
 SECURITY.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/SECURITY.md b/SECURITY.md
index 1bc7c06e..8e99a1e7 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -25,3 +25,11 @@ Please note that only certain branches are supported with security updates.
 
 When using this code or reporting vulnerabilities please only use supported
 versions.
+
+## Security Researchers
+
+Security researchers shall:
+
+* Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
+* Only use exploits to the extent necessary to confirm a vulnerability. Do not use an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to "pivot" to other systems. Once you've established that a vulnerability exists, or encountered any of the sensitive data outlined above, you must stop your test and notify us immediately.
+* Keep confidential any information about discovered vulnerabilities for up to 90 calendar days after you have notified GSA. For details, please review Coordinated Disclosure.