Add a SECURITY.md explaining how to report security vulnerabilities properly

I agree this would be useful.
We sometimes report vulnerabilities to upstream libraries used in contrib and having a SECURITY.md file helps a lot. So we should also make it easy for people outside of Drupal to share vulnerabilities with us.

Keep in mind there is existing documentation, https://www.drupal.org/docs/develop/issues/issue-procedures-and-etiquett... → . Should core just link to that? Just a thought.

nicxvan → changed the visibility of the branch 9.2.x to hidden.

nicxvan → changed the visibility of the branch 3094817-add-a-security.md to hidden.

Exactly what I was thinking!

Seems straight forward enough.

There is a suggested change on the MR.

Also the text limits this to core and contributed modules where as the linked page states "module, theme, or distribution".

Thanks! I think those notes came after RTBC and I missed them.
I think I've address their comments and yours.

This time I did more research before commenting.

I addressed all feedback I think.

@nicxvan added some feedback as a gitlab suggestion

I think quietone addressed your suggestion, thank you!

Distribution aren't really a thing anymore, are they?

They may be out of date with recipes but believe they are definitely still around

Thanks for the clarifications all

Sorry for the late comment here, but there already exists text of this policy → :

# How to report a security issue

If you discover or learn about a potential error, weakness, or threat that can compromise the security of Drupal, we ask you to keep it confidential and submit your concern to the Drupal security team.

Should we not use the same?

No, that was already suggested and addressed by @quietone:

From the MR:

I don't think this is an improvement. Previous comments have pointed out that the capitalization of Contributed is incorrect. That would also apply to 'Core'. This also removes distribution, which should remain. And core does not use the style 'we ask' in any user facing text so this should not as well. The exchange of 'security vulnerability' for a list of items is limiting and I would rather that the more open to interpretation phrase remain.

We are also linking to the resource that the one you linked to links to so it's more direct.

I think it's ok to restore status since this question was addressed already.

Thanks everyone.

Backported to Drupal 10 because of the expectation this file exist is growing and security issues can be critical.

@nicxvan re #28, not everything in that comment was addressed. I guess recipes don’t count? IMO this text shouldn’t cite specific project types.

I agree that we technically cover all code on git.drupalcode.org, if the project is opted into security advisory coverage and has stable release. So also recipes (https://new.drupal.org/browse/recipes) and general projects ( https://www.drupal.org/project/project-general → ).

We probably need to update the wording in https://www.drupal.org/docs/develop/issues/issue-procedures-and-etiquett... → , but in the SA policy ( https://www.drupal.org/drupal-security-team/security-advisory-process-an... → ), the project types (modules, themes, distributions) are not explicitly mentioned and the policy is not restricted to these types.

It is now displayed here: https://github.com/drupal/drupal/security