feat(doc): add `SECURITY.md`

Add a `SECURITY.md` listing the security PGP key to be used for disclosures

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 699c824cbae67110b1aee9cd0d5bce85ad94fff0..e234207ca806baa8a4002dfe87d6ea315393e562 100644 (file)
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -98,16 +98,9 @@ All new features require testing. Tests should be unique and self-describing. If
 Security
 --------
 
-Security is a high priority of BDK; disclosure of security vulnerabilities helps
-prevent user loss of funds.
+Given the critical nature of BDK as a wallet library, we take security very seriously.
 
-Note that BDK is currently considered "pre-production" during this time, there
-is no special handling of security issues. Please simply open an issue on
-Github.
-
-BDK requires all commits to be signed using PGP. Refer to
-[this guide](https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work)
-if you don't have a PGP key set up with `git` yet.
+For information on how to report security vulnerabilities, please refer to the [Security Policy](SECURITY.md).
 
 Testing
 -------

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644 (file)
index 0000000..3e2e1cd
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,16 @@
+# Security Policy
+
+To report security issues send an email to `security AT bitcoindevkit DOT org` (not for support).
+
+The following key may be used to communicate sensitive information to developers:
+
+| Name | Fingerprint |
+| ---- | ----------- |
+| `security@bitcoindevkit.org` | `7416 BB25 5E60 E40D 482E 591B 7201 8930 A1FB 3444` |
+
+You can import the key by running the following command:
+```
+gpg --recv-keys 7416BB255E60E40D482E591B72018930A1FB3444 --keyserver hkps://keys.openpgp.org
+```
+
+You can also download it from [our website](https://bitcoindevkit.org/foundation/pgp/#security-disclosures).