Create SECURITY.md (#3698)

* Create SECURITY.md

Signed-off-by: Merel Theisen <[email protected]>

SECURITY.md

@@ -0,0 +1,32 @@
+# Security policy
+
+Kedro and its community take security bugs seriously. We appreciate efforts to improve the security of all Kedro products
+and follow the [GitHub coordinated disclosure of security vulnerabilities](https://docs.github.com/en/code-security/security-advisories/about-coordinated-disclosure-of-security-vulnerabilities#about-reporting-and-disclosing-vulnerabilities-in-projects-on-github)
+for responsible disclosure and prompt mitigation. We are committed to working with security researchers to
+resolve the vulnerabilities they discover.
+
+## Supported versions
+
+The latest versions of [Kedro](https://github.com/kedro-org/kedro), [Kedro-Viz](https://github.com/kedro-org/kedro-viz/), [Kedro Starters](https://github.com/kedro-org/kedro-starters) and the [Kedro plugins](https://github.com/kedro-org/kedro-plugins) have continued support. Any critical vulnerability will be fixed and a release will be done for the affected project as soon as possible.
+
+## Reporting a vulnerability
+
+When finding a security vulnerability in [Kedro](https://github.com/kedro-org/kedro), [Kedro-Viz](https://github.com/kedro-org/kedro-viz/), [Kedro Starters](https://github.com/kedro-org/kedro-starters) or any of the official [Kedro plugins](https://github.com/kedro-org/kedro-plugins), perform the following actions:
+
+- [Open an issue](https://github.com/kedro-org/kedro/issues/new?assignees=&labels=Issue%3A%20Bug%20Report%20%F0%9F%90%9E&template=bug-report.md&title=%28security%29%20Security%20Vulnerability) on the Kedro repository. Ensure that you use `(security) Security Vulnerability` as the title and _do not_ mention any vulnerability details in the issue post.
+- Send a notification [email](mailto:[email protected]) to the Kedro Framework maintainers that contains, at a minimum:
+  - The link to the filed issue stub.
+  - Your GitHub handle.
+  - Detailed information about the security vulnerability, evidence that supports the relevance of the finding and any reproducibility instructions for independent confirmation.
+
+This first stage of reporting is to ensure that a rapid validation can occur without wasting the time and effort of a reporter. Future communication and vulnerability resolution will be conducted after validating
+the veracity of the reported issue.
+
+A Kedro maintainer will, after validating the report:
+
+- Acknowledge the bug
+- Mark the issue with a `Blocker📛` priority
+- Open a draft [GitHub Security Advisory](https://docs.github.com/en/code-security/security-advisories/creating-a-security-advisory)
+  to discuss the vulnerability details in private.
+
+The private Security Advisory will be used to confirm the issue, prepare a fix, and publicly disclose it after the fix has been released.

docs/source/contribution/index.md

@@ -7,6 +7,7 @@ We welcome any and all contributions to Kedro, at whatever level you can manage.
 - Start a conversation about the Kedro project on [GitHub discussions](https://github.com/kedro-org/kedro/discussions)
 - Make a pull request on the [`awesome-kedro` GitHub repo](https://github.com/kedro-org/awesome-kedro) to update the curated list of Kedro community content
 - Report a bug or propose a new feature on [GitHub issues](https://github.com/kedro-org/kedro/issues)
+- View the Kedro [security policy](https://github.com/kedro-org/kedro/blob/main/SECURITY.md) to report a security vulnerability.
 - [Review other contributors' PRs](https://github.com/kedro-org/kedro/pulls)
 - [Contribute code](https://github.com/kedro-org/kedro/wiki/Guidelines-for-contributing-developers), for example to fix a bug or add a feature
 - [Contribute to the documentation](https://github.com/kedro-org/kedro/wiki/Contribute-to-the-Kedro-documentation)