From 63ffc7fb0f65c4dec41bd28ccece5c5ac7118e1b Mon Sep 17 00:00:00 2001
From: Piotr Galar <piotr.galar@gmail.com>
Date: Mon, 12 Dec 2022 15:17:05 +0100
Subject: [PATCH] docs: update security policy with private vulnerability
 reports info (#3168)

This PR updates the security policy to encourage users to file security vulnerability reports through https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability

The private vulnerability reports will show up here: https://github.com/libp2p/rust-libp2p/security/advisories?state=triage
The maintainers will receive GitHub notification about new private vulnerability reports.
---
 .github/ISSUE_TEMPLATE/bug_report.md | 2 +-
 .github/ISSUE_TEMPLATE/config.yml    | 5 ++++-
 README.md                            | 6 ++++--
 SECURITY.md                          | 4 +++-
 4 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
index d13ee922496..b225bdd9a1c 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -5,7 +5,7 @@ about: Create a bug report for rust-libp2p.
 
 <!-- Thank you for filing a bug report! -->
 
-<!-- For security related issues please reach out to security@libp2p.io. Please do not file a public issue on GitHub. -->
+<!-- For security related issues please file a private security vulnerability report at https://github.com/libp2p/rust-libp2p/security/advisories/new or reach out to security@libp2p.io. Please do not file a public issue on GitHub. -->
 
 ## Summary
 
diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml
index a97175d0a26..5fdf7ed9da4 100644
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -1,8 +1,11 @@
 blank_issues_enabled: true
 contact_links:
+  - name: Report a vulnerability
+    url: https://github.com/libp2p/rust-libp2p/security/advisories/new
+    about: For security related issues please file a private security vulnerability report.
   - name: Question
     url:  https://github.com/libp2p/rust-libp2p/discussions/new?category=q-a
     about: Please ask questions in the rust-libp2p GitHub Discussions forum.
   - name: Libp2p Discourse Forum
     url:  https://discuss.libp2p.io
-    about: Discussions and questions related to multiple libp2p implementations.
\ No newline at end of file
+    about: Discussions and questions related to multiple libp2p implementations.
diff --git a/README.md b/README.md
index f5813a56679..fe7871a94a1 100644
--- a/README.md
+++ b/README.md
@@ -14,8 +14,10 @@ This repository is the central place for Rust development of the [libp2p](https:
 - The **[examples](examples)** folder contains small binaries showcasing the
   many protocols in this repository.
 
-- For **security related issues** please reach out to security@libp2p.io. Please
-  do not file a public issue on GitHub.
+- For **security related issues** please [file a private security vulnerability
+  report](https://github.com/libp2p/rust-libp2p/security/advisories/new)
+  or reach out to [security@libp2p.io](mailto:security@libp2p.io). Please do not
+  file a public issue on GitHub.
 
 - To **report bugs, suggest improvements or request new features** please open a
   GitHub issue on this repository.
diff --git a/SECURITY.md b/SECURITY.md
index 4db2a630818..0e5a3f2e55f 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -6,4 +6,6 @@ By default we provide security patches for the latest released version only. On
 
 ## Reporting a Vulnerability
 
-Please reach out to security@libp2p.io. Please do not file a public issue on GitHub.
+Please do not file a public issue on GitHub. Instead, please [file a private security vulnerability report](https://github.com/libp2p/rust-libp2p/security/advisories/new).
+
+If you need further assistance, please reach out to [security@libp2p.io](mailto:security@libp2p.io).