From 20ac8736e778f5da4b9348c5a698259da3f95a3c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Mon, 15 Sep 2025 15:21:52 +0200 Subject: [PATCH] docs: add security escalation policy --- SECURITY.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index a94b8e8e5..8eb246f98 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -11,3 +11,12 @@ Vulnerabilities may be reported to labs@sitepen.com. Please include a description of the vulnerability and steps to reproduce it. Suggested resolutions are also welcome. + +## Escalation + +If you do not receive an acknowledgement of your report within 6 business days, or if you +cannot find a private security contact for the project, you may escalate to the OpenJS Foundation CNA +at `security@lists.openjsf.org`. + +If the project acknowledges your report but does not provide any further response or engagement within +14 days, escalation is also appropriate.