Our security policy was still pointing to the policy in the containers org and needs
to be updated. (e.g. disclosure should not be via the Podman security list)
We have one public mailing list today that anyone can join,
cncf-podman-desktop-maintainers@lists.cncf.io. We've created a second, private list
for security issues: cncf-podman-desktop-security@lists.cncf.io.
This PR keeps the same policy/process as the containers org, except:
- asks for disclosure via our own -security list
- adds GitHub security reporting as another option
- announcements are done via our own -maintainers. (announcements could go elsewhere
later, but it doesn't seem worth creating another list at this point)
Fixes#15762.
Signed-off-by: Tim deBoer <git@tdeboer.ca>
