From 5aeb2bfe4eecbcf5b5e59730a8f780ce5dee65a6 Mon Sep 17 00:00:00 2001
From: Parker Moore <237985+parkr@users.noreply.github.com>
Date: Thu, 16 Dec 2021 09:17:36 -0500
Subject: [PATCH] Add Security Policy document (#8823)

Merge pull request 8823
---
 SECURITY.md        | 32 ++++++++++++++++++++++++++++++++
 docs/pages/team.md |  9 +++++++++
 2 files changed, 41 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..c704a28f
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,32 @@
+# Security Policy
+
+## Supported Versions
+
+Security updates are applied to the latest MINOR version of Jekyll, and the version used by GitHub Pages, v3.9.x.
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 4.2.x   | :white_check_mark: |
+| 3.9.x   | :white_check_mark: |
+| < 3.9.x | :x:                |
+
+## Reporting a Vulnerability
+
+Please report vulnerabilities by sending an email to security@jekyllrb.com with the following information:
+
+1. A description of the vulnerability
+2. Reproduction steps and/or a sample site (share a private repo to the [Jekyll Security Team](docs/pages/team.md))
+3. Your contact information
+
+The Jekyll security team will respond to your submission and notify you whether it has been confirmed by the team.
+Your confidentiality is kindly requested as we work on a fix. We will provide our patch to you to test and verify that the vulnerability has
+been closed.
+
+If you have created a patch and would like to submit that to us as well, we will happily consider it though we cannot guarantee that we will
+use it. If we use your patch, we will attribute authorship to you either as the commit author, or as a co-author.
+
+Once a fix is verified, we will release PATCH versions of the supported MINOR versions and assign a CVE to the vulnerability. You will receive
+credit in our release post.
+
+Once the patched version has been released, we will no longer request you to maintain confidentiality and you may choose to share details on
+how you found the vulnerability with the community.
diff --git a/docs/pages/team.md b/docs/pages/team.md
index 47b8e807..901eb729 100644
--- a/docs/pages/team.md
+++ b/docs/pages/team.md
@@ -12,6 +12,15 @@ community around the Jekyll ecosystem thrive._
 * Ashwin (@ashmaroli)
 * Matt (@mattr-)
 
+## Security Team
+
+_The Jekyll Security Team's responsibility is to triage, validate, and 
+patch security vulnerabilities reported to them._
+
+* Parker (@parkr)
+* Ashwin (@ashmaroli)
+* Matt (@mattr-)
+
 ## Emeritus Core Team Members
 
 _Emeritus Core Team Members were once members of Jekyll's Core Team._