Update Security Policy contact info (#4447)

shemnon · web-flow · commit 2d02f6be412d · 2022-10-03T14:08:51.000+01:00
* Update Security Policy contact info

At the request of the EF, a besu-only security list was created, and is
the first listed email.  The out-of-date Jira location is also removed.

Signed-off-by: Danno Ferrin &lt;danno.ferrin@gmail.com&gt;
diff --git a/SECURITY.md b/SECURITY.md
@@ -7,13 +7,15 @@ hear from you. We will take all security bugs seriously and if confirmed upon in
 patch it within a reasonable amount of time and release a public security bulletin discussing the
 impact and credit the discoverer.
 
-There are two ways to report a security bug. The easiest is to email a description of the flaw and
-any related information (e.g. reproduction steps, version) to
-[security at hyperledger dot org](mailto:security@hyperledger.org).
-
-The other way is to file a confidential security bug in our
-[JIRA bug tracking system](https://jira.hyperledger.org). Be sure to set the “Security Level” to
-“Security issue”.
+There are two email addresses where Hyperledger Besu accepts security bugs. The
+first, [security "dash" besu at lists dot hyperledger dot org](mailto:security-besu@lists.hyperledger.org)
+is limited to a subset of Hyperledger Besu maintainers and Hyperledger staff. For highly sensitive
+bugs this is a preferred address. The second email
+address [security at hyperledger dot org](mailto:security@hyperledger.org) is limited to a subset of
+maintainers and staff of all Hyperledger projects, and may be viewed by maintainers outside of
+Hyperledger Besu. When sending information to either of these emails please be sure to include a
+description of the flaw and any related information (e.g. reproduction steps, version, known active
+use).
 
 The process by which the Hyperledger Security Team handles security bugs is documented further in
 our [Defect Response page](https://wiki.hyperledger.org/display/SEC/Defect+Response) on our
