Add SECURITY.md

SECURITY.md

@@ -0,0 +1,37 @@
+# Reporting vulnerabilities
+
+Arm takes security issues seriously and welcomes feedback from researchers and
+the security community in order to improve the security of its products and
+services. We operate a coordinated disclosure policy for disclosing
+vulnerabilities and other security issues.
+
+Security issues can be complex and one single timescale doesn't fit all
+circumstances. We will make best endeavours to inform you when we expect
+security notifications and fixes to be available and facilitate coordinated
+disclosure when notifications and patches/mitigations are available.
+
+
+## How to Report a Potential Vulnerability?
+
+If you would like to report a public issue (for example, one with a released CVE
+number), please contact the meta-arm mailing list at
+meta-arm@lists.yoctoproject.org and arm-security@arm.com.
+
+If you are dealing with a not-yet released or urgent issue, please send a mail
+to the maintainers (see README.md) and arm-security@arm.com, including as much
+detail as possible.  Encrypted emails using PGP are welcome.
+
+For more information, please visit https://developer.arm.com/support/arm-security-updates/report-security-vulnerabilities.
+
+
+## Branches maintained with security fixes
+
+meta-arm follows the Yocto release model, so see
+[https://wiki.yoctoproject.org/wiki/Stable_Release_and_LTS Stable release and
+LTS] for detailed info regarding the policies and maintenance of stable
+branches.
+
+The [https://wiki.yoctoproject.org/wiki/Releases Release page] contains a list of all
+releases of the Yocto Project. Versions in grey are no longer actively maintained with
+security patches, but well-tested patches may still be accepted for them for
+significant issues.