Moved security bugs and vulnerability policy to SECURITY.md (#8938)

Moved security bugs and vulnerability policy to SECURITY.MD and extended security policy.

Co-authored-by: Yossi Gottlieb <yossigo@gmail.com>

CONTRIBUTING

@@ -20,30 +20,12 @@ There is also an active community of Redis users at Stack Overflow:
 
     http://stackoverflow.com/questions/tagged/redis
 
-# Reporting Security Bugs
-
-*If you are reporting a security bug*, please contact the core team privately
-by emailing redis@redis.io. Your report will be acknowledged by a core team
-member and once the report has been reviewed you will receive a more detailed
-response including next steps.
-
-If you do not receive a reply you can escalate to the Redis Google Group,
-linked above. Because this group is a public space please do not disclose the
-issue in detail, only say that you are trying to reach the core team for a
-security issue.
-
-Redis follows a responsible disclosure process:
-
-1. Reports are reviewed and analyzed privately
-2. Patches are prepared for supported versions of Redis
-3. Vendor lists are notified with an embargo date to reduce the public impact
-4. We push a fix release and your bug can be posted publicly with credit in
-   release notes and the version history (and our thanks!)
-
-  Issues and pull requests for documentation belong on the redis-doc repo:
+Issues and pull requests for documentation belong on the redis-doc repo:
 
     https://github.com/redis/redis-doc
 
+If you are reporting a security bug or vulnerability, see SECURITY.md.
+
 # How to provide a patch for a new feature
 
 1. If it is a major feature or a semantical change, please don't start coding

README.md

@@ -224,10 +224,11 @@ of the BSD license that you can find in the [COPYING][1] file included in the Re
 source distribution.
 
 Please see the [CONTRIBUTING][2] file in this source distribution for more
-information, including details on our process for security bugs/vulnerabilities.
+information. For security bugs and vulnerabilities, please see [SECURITY.md][3].
 
 [1]: https://github.com/redis/redis/blob/unstable/COPYING
 [2]: https://github.com/redis/redis/blob/unstable/CONTRIBUTING
+[3]: https://github.com/redis/redis/blob/unstable/SECURITY.md
 
 Redis internals
 ===

SECURITY.md

@@ -0,0 +1,43 @@
+# Security Policy
+
+## Supported Versions
+
+Redis is generally backwards compatible with very few exceptions, so we
+recommend users to always use the latest version to experience stability,
+performance and security.
+
+We generally backport security issues to a single previous major version,
+unless this is not possible or feasible with a reasonable effort.
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 6.2.x   | :white_check_mark: |
+| 6.0.x   | :white_check_mark: |
+| 5.0.x   | :white_check_mark: |
+| < 5.0   | :x:                |
+
+## Reporting a Vulnerability
+
+If you believe you’ve discovered a serious vulnerability, please contact the
+Redis core team at redis@redis.io. We will evaluate your report and if
+necessary issue a fix and an advisory. If the issue was previously undisclosed,
+we’ll also mention your name in the credits.
+
+## Responsible Disclosure
+
+In some cases, we may apply a responsible disclosure process to reported or
+otherwise discovered vulnerabilities. We will usually do that for a critical
+vulnerability, and only if we have a good reason to believe information about
+it is not yet public.
+
+This process involves providing an early notification about the vulnerability,
+its impact and mitigations to a short list of vendors under a time-limited
+embargo on public disclosure.
+
+Vendors on the list are individuals or organizations that maintain Redis
+distributions or provide Redis as a service, who have third party users who
+will benefit from the vendor’s ability to prepare for a new version or deploy a
+fix early.
+
+If you believe you should be on the list, please contact us and we will
+consider your request based on the above criteria.