Add SECURITY.md to document security policy (#516)

This commit adds a SECURITY.md file to the repository to document the security policy for the project. We recently enabled the private security advisories feature on the repository (which is a relatively new "beta" feature in github). Since we now have a place to privately raise potential security issues it is good to have a documented policy on how security vulnerabilities should be reported and our support policy for the versions we will fix (which is just the latest release series). Over time we can adjust this policy as needed.
Qiskit · Feb 17, 2023 · d4ef5cd · d4ef5cd
1 parent 5aeaa9d
commit d4ef5cd
Showing 1 changed file with 21 additions and 0 deletions.
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,21 @@
+# Security Policy
+
+## Supported Versions
+
+`qiskit-ibm-provider` supports one minor version release at a time, both for bug
+and security fixes. For example, if the most recent release is 0.12.1, then the
+0.12.x release series is currently supported.
+
+## Reporting a Vulnerability
+
+To report vulnerabilities, you can privately report a potential security issue
+via the Github security vulnerabilities feature. This can be done here:
+
+https://github.com/Qiskit/qiskit-ibm-provider/security/advisories
+
+Please do **not** open a public issue about a potential security vulnerability.
+
+You can find more details on the security vulnerability feature in the Github
+documentation here:
+
+https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability