* SECURITY.md: Add a file stating how to report security issues

SECURITY.md

@@ -0,0 +1,84 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+At GNU Wget, we take security seriously and appreciate the efforts of security
+researchers in identifying and disclosing vulnerabilities responsibly. If you
+believe you've discovered a security vulnerability in GNU Wget, we encourage you
+to disclose it to us privately and work with us to ensure it is addressed
+promptly and appropriately.
+
+To report a vulnerability, please contact the maintainers directly via email.
+The names and contact details of the current maintainers is always available via
+the AUTHORS file in this repository. In order to send an encrypted email,
+please use the keyring available at the following URL:
+https://savannah.gnu.org/project/release-gpgkeys.php?group=wget
+
+
+Please include the following information in your report:
+
+- A detailed description of the vulnerability
+- The version(s) of GNU Wget that are affected.
+- Steps to reproduce the vulnerability.
+- Any proof-of-concept or exploit code, if applicable.
+- Your contact information for coordination and follow-up.
+
+Once we receive your report, we will acknowledge receipt and work with you to
+investigate the issue. We work on GNU Wget on a volunteer basis and as such may
+face delays in responding immediately. We aim to respond to initial reports
+within 5 working days and will keep you informed of our progress throughout the
+resolution process.
+
+Please refrain from disclosing the vulnerability publicly until we have had an
+opportunity to investigate and address it. We appreciate your cooperation in
+helping to keep GNU Wget and its users secure.
+
+## Vulnerability Disclosure Policy
+
+Once a security vulnerability has been identified and confirmed, we will take
+the following steps:
+
+1. **Investigation**: We will promptly investigate the reported vulnerability to
+   verify its authenticity and determine its scope and impact.
+
+2. **Resolution**: Once validated, we will develop and test a fix for the
+   vulnerability. We will strive to address the issue as quickly as possible and
+   prepare a patch for release.
+
+3. **Coordination**: We will work with the reporter to ensure that the
+   vulnerability is disclosed responsibly and coordinated with the release of
+   the fix.
+
+4. **Release**: Upon completion of the fix and any necessary testing, we will
+   release a new version of GNU Wget that addresses the vulnerability. We will
+   provide appropriate credit to the reporter in the release notes, unless
+   otherwise requested.
+
+5. **Public Disclosure**: We will coordinate the public disclosure of the
+   vulnerability with the reporter and other relevant stakeholders. Once the fix
+   is widely available, we will publish an advisory detailing the vulnerability
+   and its resolution.
+
+We strive to follow these steps in a timely and transparent manner, while
+prioritizing the security and stability of GNU Wget and its users.
+
+## Responsible Disclosure Guidelines
+
+In order to protect our users and systems, we ask that security researchers
+adhere to the following guidelines when reporting vulnerabilities to GNU Wget:
+
+- **Responsible Disclosure**: Please disclose vulnerabilities to us privately
+  and allow us a reasonable amount of time to investigate and address them
+  before disclosing them publicly.
+
+- **Cooperation**: We appreciate your cooperation and collaboration throughout
+  the disclosure process. We will do our best to keep you informed of our
+  progress and coordinate the release of information with you.
+
+- **Respect**: Please respect our users' privacy and refrain from any actions
+  that could cause harm or disrupt our systems. We ask that you do not exploit
+  or disclose vulnerabilities before they have been resolved.
+
+By following these guidelines, you can help us maintain the security and
+integrity of GNU Wget for the benefit of all users. We thank you for your
+contributions to our project and for helping to make the internet a safer place.