Security Policy for eksctl project

Himangini · Himangini · commit 1619bf8cd334 · 2023-04-21T12:01:58.000+01:00
diff --git a/README.md b/README.md
@@ -199,6 +199,12 @@ Minor releases of `eksctl` should be expected every two weeks and patch releases
 
 One or more release candidate(s) (RC) builds will be made available prior to each minor release. RC builds are intended only for testing purposes.
 
+## [Security Policy](SECURITY.md)
+If you discover a potential security issue in `eksctl` project, please
+follow [AWS Vulnerability Reporting process.](https://aws.amazon.com/security/vulnerability-reporting/)
+
+Do not open security related issues in the open source project.
+
 ## Get in touch
 
 [Create an issue](https://github.com/weaveworks/eksctl/issues/new), or login to [Weave Community Slack (#eksctl)][slackchan] ([signup][slackjoin]).
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,12 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you discover a potential security issue in `eksctl` project, please
+follow [AWS Vulnerability Reporting process.](https://aws.amazon.com/security/vulnerability-reporting/)
+
+Do not open security related issues in the open source project. So that we may more effectively respond to your report, please provide any supporting material (proof-of-concept code, tool output, etc.) that would be useful in helping us understand the nature and severity of the vulnerability.
+
+The information you share with AWS as part of this process is kept confidential within AWS. AWS will only share this information with a third party if the vulnerability you report is found to affect a third-party product, in which case we will share this information with the third-party product's author or manufacturer. Otherwise, AWS will only share this information as permitted by you.
+
+AWS is committed to being responsive and keeping you informed of our progress as we investigate and / or mitigate your reported security concern. You will receive a non-automated response to your initial contact within 24 hours, confirming receipt of your reported vulnerability. You will receive progress updates from AWS at least every five US working days.
