📖 Update security policy to be specific to OpenSSF Scorecard

[justaugustus]

What kind of change does this PR introduce?

(Is it a bug fix, feature, docs update, something else?)

• PR title follows the guidelines defined in our pull request documentation

What is the current behavior?

The current security policy was last updated three years and appears to be boilerplate from Google open source projects.

What is the new behavior (if this is a feature change)?**

This updated security policy is specific to the OpenSSF Scorecard project and considers:

• the previously-written policy
• the inherited SECURITY.md from ossf/.github
• the LF vulnerability disclosure process for projects: https://www.linuxfoundation.org/security
• the Cisco open source project SECURITY.md, which was itself inspired by the Wayfair OSS project template

Which issue(s) this PR fixes

Partially addresses #4194.

Special notes for your reviewer

Tagging a few different groups for review here, as the new standard for OpenSSF Scorecard subproject security policies should be something along the lines of:

This project adheres to the OpenSSF Scorecard security policy.

(to minimize drift across the project)

Does this PR introduce a user-facing change?

For user-facing changes, please add a concise, human-readable release note to
the release-note

(In particular, describe what changes users might need to make in their
application as a result of this pull request.)

NONE

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 61.89%. Comparing base (da0f2b4) to head (211c2c0).
Report is 17 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4212      +/-   ##
==========================================
+ Coverage   60.17%   61.89%   +1.71%     
==========================================
  Files         212      212              
  Lines       15556    15552       -4     
==========================================
+ Hits         9361     9626     +265     
+ Misses       5492     5206     -286     
- Partials      703      720      +17     

[jeffmendoza]

Taking a look at "the inherited SECURITY.md from ossf/.github" Should we also mention either:

• security@openssf.org is a fallback
• This policy adheres to the overall policy at https://www.linuxfoundation.org/security

?

[spencerschrock]

+1 to Jeff's suggestion on fallback mention.

I'm otherwise happy with the content, but will leave for others to review

[spencerschrock]

Tagging a few different groups for review here, as the new standard for OpenSSF Scorecard subproject security policies should be something along the lines of:

This project adheres to the OpenSSF Scorecard security policy.

(to minimize drift across the project)

Ironically this may cause subprojects to only score a 9/10 for Security-Policy based on the last point being awarded for certain terms. (Personally I find that scoring a little too picky but that's how it is currently)

[justaugustus]

Taking a look at "the inherited SECURITY.md from ossf/.github" Should we also mention either:

* [security@openssf.org](mailto:security@openssf.org) is a fallback

* This policy adheres to the overall policy at https://www.linuxfoundation.org/security

?

I was thinking the same, but initially decided to leave it out, as I think we should have our own list for this eventually.
That said, it makes to have it here at this stage and I've added that note in 1a8adee.

[justaugustus]

Ironically this may cause subprojects to only score a 9/10 for Security-Policy based on the last point being awarded for certain terms. (Personally I find that scoring a little too picky but that's how it is currently)

@spencerschrock — Good call-out! I've opened #4215 so we don't lose that thread.