From c2ca023fd760ecd64b051bd849f100d180d76a34 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Mon, 15 Sep 2025 14:28:04 +0200 Subject: [PATCH] docs: add security escalation policy --- SECURITY.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index 641c13b..ff58b65 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -23,3 +23,9 @@ Please include as much of the information listed below as you can to help us bet * Impact of the issue, including how an attacker might exploit the issue This information will help us triage your report more quickly. + +## Escalation + +If you do not receive an acknowledgement of your report within 6 business days, or if you cannot find a private security contact for the project, you may escalate to the OpenJS Foundation CNA at `security@lists.openjsf.org`. + +If the project acknowledges your report but does not provide any further response or engagement within 14 days, escalation is also appropriate.