From 4ca42e3b587fcb07daa8122c86966ac74f27a0c0 Mon Sep 17 00:00:00 2001
From: Syed Muhammad Dawoud Sheraz Ali
 <40599381+DawoudSheraz@users.noreply.github.com>
Date: Thu, 21 Mar 2024 12:53:16 +0500
Subject: [PATCH 1/2] docs: Create SECURITY.md

---
 SECURITY.md | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000000..51005bfbb3
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,16 @@
+# Tutor Security Policy
+
+
+## Reporting a Vulnerability
+
+To ensure the health of the codebase and the larger Open edX and Tutor communities, please do not create GitHub issues for a security vulnerability. Report any security vulnerabilities or concerns by sending an email to [security.tutor@edly.io](mailto:security.tutor@edly.io). To ensure a timely triage and fix of the security issue, include as many details you can when reporting the vulnerability. Some pieces of information to consider:
+
+* The nature of the vulnerability, e.g.
+  * Authentication and Authorization
+  * Data Integrity and Confidentiality
+  * Security Configurations
+  * Third-party dependencies
+* The impact of the security risk
+* A detailed description of the steps necessary to reproduce the issue
+* The links to the vulnerable code
+* The links to third-party libraries/packages if the vulnerability is present in such a dependency.

From 87db20c791481cf312ff82d40d23b15918eabdf3 Mon Sep 17 00:00:00 2001
From: DawoudSheraz <dawoud.sheraz@gmail.com>
Date: Wed, 27 Mar 2024 17:35:29 +0500
Subject: [PATCH 2/2] docs: small updates

---
 SECURITY.md | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/SECURITY.md b/SECURITY.md
index 51005bfbb3..38079484f8 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,4 +1,4 @@
-# Tutor Security Policy
+# Tutor Ethical Vulnerability Disclosure Policy
 
 
 ## Reporting a Vulnerability
@@ -14,3 +14,6 @@ To ensure the health of the codebase and the larger Open edX and Tutor communiti
 * A detailed description of the steps necessary to reproduce the issue
 * The links to the vulnerable code
 * The links to third-party libraries/packages if the vulnerability is present in such a dependency.
+
+## Bug Bounty
+Edly/Tutor does not offer a bug bounty for reported vulnerabilities.