Add SECURITY.md.

README.md

@@ -88,11 +88,10 @@ That oldest version known to work is documented as the MSRV in
 Bug Reporting
 -------------
 
-Please report bugs either as pull requests or as issues in [the issue
-tracker](https://github.com/briansmith/ring/issues). *ring* has a
-**full disclosure** vulnerability policy. **Please do NOT attempt to report
-any security vulnerability in this code privately to anybody.**
+Please see [SECURITY.md](SECURITY.md) for help on reporting security vulnerabilities.
 
+Please report bugs that aren't security vulnerabilities either as pull requests or as issues in
+[the issue tracker](https://github.com/briansmith/ring/issues).
 
 
 License

SECURITY.md

@@ -0,0 +1,20 @@
+# Security Policy
+
+## Supported Versions
+
+The latest release of *ring* is supported. The fixes for any security issues found will be included
+in the next release.
+
+
+## Reporting a Vulnerability
+
+Please [use *ring*'s security advisory reporting tool provided by
+GitHub](https://github.com/briansmith/ring/security/advisories/new) to report security issues.
+
+We strive to fix security issues as quickly as possible. Across the industry, often the developers'
+slowness in developing and releasing a fix is the biggest delay in the process; we take pride in
+minimizing this delay as much as we practically can. We encourage you to also minimize the delay
+between when you find an issue and when you contact us. You do not need to convince us to take your
+report seriously. You don't need to create a PoC or a patch if that would slow down your reporting.
+You don't need an elaborate write-up. A short, informal note about the issue is good. We can always
+communicate later to fill in any details we need after that first note is shared with us.