Add SECURITY.md file (#64)

* chore: initial commit

* docs: add initial file

Signed-off-by: Jorge García Rey <[email protected]>

* docs: add initial file

Signed-off-by: Jorge García Rey <[email protected]>

* docs: add security section in README

Signed-off-by: Jorge García Rey <[email protected]>

---------

Signed-off-by: Jorge García Rey <[email protected]>

README.md

@@ -6,8 +6,8 @@
 Sherpa for [GitHub CLI](https://github.com/cli/cli) makes it easy for you to **create branches** and **pull requests**
 associated with any **GitHub or Jira issue**.
 
-This extension retrieves the type of issue (_User Story_, _Bug_, _Technical Improvement_, etc) and creates a branch or 
-pull request associated with that issue, following the contribution model you define in a 
+This extension retrieves the type of issue (_User Story_, _Bug_, _Technical Improvement_, etc) and creates a branch or
+pull request associated with that issue, following the contribution model you define in a
 [configuration file](#configuration).
 
 ![Create PR](docs/images/create-pr.svg)
@@ -23,8 +23,10 @@ pull request associated with that issue, following the contribution model you de
 ## Prerequisites
 
 - An available GitHub account.
-- [**GitHub CLI**](https://github.com/cli/cli) (version `2.0.0` or higher) configured and [authenticated](https://cli.github.com/manual/gh_auth_login) in your development environment.
-- **Bash**: Supports Linux, MacOS and Windows (for the latter, we recommend using [`WSL2`](https://learn.microsoft.com/en-us/windows/wsl/install)).
+- [**GitHub CLI**](https://github.com/cli/cli) (version `2.0.0` or higher) configured and
+[authenticated](https://cli.github.com/manual/gh_auth_login) in your development environment.
+- **Bash**: Supports Linux, MacOS and Windows (for the latter, we recommend using
+[`WSL2`](https://learn.microsoft.com/en-us/windows/wsl/install)).
 
 ## Installation
 
@@ -38,7 +40,8 @@ gh extension install InditexTech/gh-sherpa
 
 ### Upgrade
 
-If you have already installed this extension and you want to **upgrade** it, so, you should run this command from your terminal:
+If you have already installed this extension and you want to **upgrade** it, so, you should run this command from your
+terminal:
 
 ```sh
 gh extension upgrade sherpa
@@ -64,15 +67,24 @@ file to perform these mappings.
 
 ### Custom configuration
 
-Otherwise, if you wish customize the different issue types, branch prefixes, etc, so, you can **create your own configuration
-file** localed in `$HOME/.config/sherpa/config.yml` from the [default config file](internal/config/default-config.yml).
+Otherwise, if you wish customize the different issue types, branch prefixes, etc, so, you can **create your own
+configuration file** localed in `$HOME/.config/sherpa/config.yml` from the
+[default config file](internal/config/default-config.yml).
 
-> If you are **using Jira as issue tracker**, so, the first time you run a command it will ask you to configure Jira credentials and then proceed to create the custom configuration file with the provided Jira credentials.
+> If you are **using Jira as issue tracker**, so, the first time you run a command it will ask you to configure Jira
+credentials and then proceed to create the custom configuration file with the provided Jira credentials.
 
 ## Usage
 
-After installing this extension in your development environment, you can know the available commands in the [`USAGE.md`](docs/USAGE.md) file.
+After installing this extension in your development environment, you can know the available commands in the
+[`USAGE.md`](docs/USAGE.md) file.
 
 ## Contribute
 
-Before developing any new feature or fix, please, check the [`CONTRIBUTING.md`](CONTRIBUTING.md) file. You will find there the steps to contribute along with development and testing guidelines.
+Before developing any new feature or fix, please, check the [`CONTRIBUTING.md`](CONTRIBUTING.md) file. You will find
+there the steps to contribute along with development and testing guidelines.
+
+## Security
+
+If you find a security vulnerability in this project, please, check the [`SECURITY.md`](SECURITY.md) file to know how to
+report it.

SECURITY.md

@@ -0,0 +1,28 @@
+# Security
+
+We at Inditex believe that responsible disclosure of security vulnerabilities helps us ensure the security and privacy
+of all opensource community.
+
+If you believe you have found a security vulnerability in any Inditex repository that meets Inditex definition of a
+security vulnerability, please report it to us as described below. We appreciate the hard work maintainers put into
+fixing vulnerabilities and understand that sometimes more time is required to properly address an issue.
+
+## Reporting security issues
+
+> [!CAUTION]
+> Do not file public issues on GitHub for security vulnerabilities
+
+* Let us know by submitting the finding through our [disclosure submission program](https://inditex.responsibledisclosure.com/)
+as soon as possible, upon discovery of a potential security issue.
+* Once we've assessed your report, we will create a GitHub "security advisory", which will allow the reporter and
+Inditex team to work on the issue in a confidential manner. We will invite you as a collaborator to the advisory and any
+needed trusted persons.
+* That "security advisory" will also allow us to have a temporary private fork, to work on the fix in confidentiality.
+* Once a fix is ready, we will include the fix in our next release and mark that release as a security release.
+* Details on the issue will be embargoed for 30 days to give users an oppurtunity to upgrade, after which we will
+coordinate disclosure with the researcher(s).
+* If you've contributed the fix, you will be credited for it.
+
+## Policy
+
+Find out more about our [responsible disclosure policy](https://inditex.responsibledisclosure.com/hc/en-us#vdp_policy)

repolinter.json

@@ -62,7 +62,7 @@
       }
     },
     "security-file-exists": {
-      "level": "off",
+      "level": "error",
       "rule": {
         "type": "file-existence",
         "options": {