Merge pull request #90 from lazyguru/add-security-reporting-doc

Add SECURITY.md to outline security issue reporting

.github/workflows/go.yml

@@ -47,14 +47,14 @@ jobs:
       run: go test -v ./...
 
     - name: Coverage
-      uses: gwatts/go-coverage-action@v2.0.0
+      uses: lazyguru/go-coverage-action@9b496d245c69f85ab8cef4ce57d857cc727506ee
       with:
         # Fail the build if the coverage drops below supplied percentage
         coverage-threshold: 0 # Change this as coverage improves
         # Fail the build if coverage drops below coverage-threshold.  One of "always", "never" or "only_pull_requests"
         fail-coverage: only_pull_requests
         # Adds a comment to the PR with coverage information if true. If false will only add an action summary report
-        add-comment: true
+        add-comment: false
         # One or more regular expressions matching filenames to exclude from coverage statistics (e.g. for generated Go files)
         #ignore-pattern:
 

SECURITY.md

@@ -0,0 +1,9 @@
+# Reporting Security Issues
+
+The Sublinks team and community take security bugs in Sublinks seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.
+
+To report a security issue, please use the GitHub Security Advisory ["Report a Vulnerability"](https://github.com/sublinks/sublinks-federation/security/advisories/new) tab.
+
+The Sublinks Core Owner team will send a response indicating the next steps in handling your report. After the initial reply to your report, the team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.
+
+Report security bugs in third-party libraries/modules to the person or team maintaining the library/module.