From 07bf95f8388980ae9ef25912043c1d6c8ca964e7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sa=C3=BAl=20Ibarra=20Corretg=C3=A9?= <saghul@jitsi.org>
Date: Thu, 19 Sep 2019 13:21:48 +0200
Subject: [PATCH] doc: add info on reporting security issues

---
 .github/ISSUE_TEMPLATE/4-security-issues.md | 11 +++++++++++
 README.md                                   | 11 ++++++++++-
 2 files changed, 21 insertions(+), 1 deletion(-)
 create mode 100644 .github/ISSUE_TEMPLATE/4-security-issues.md

diff --git a/.github/ISSUE_TEMPLATE/4-security-issues.md b/.github/ISSUE_TEMPLATE/4-security-issues.md
new file mode 100644
index 000000000..04cd0f35f
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/4-security-issues.md
@@ -0,0 +1,11 @@
+---
+name: Security issues
+about: Please email security@jitsi.org
+
+---
+
+We take security very seriously and develop all Jitsi projects to be secure and safe.
+
+If you find (or simply suspect) a security issue in any of the Jitsi projects, please send us an email to security@jitsi.org.
+
+We encourage responsible disclosure for the sake of our users, so please reach out before posting in a public space.
diff --git a/README.md b/README.md
index 0e35a580f..a500fd087 100644
--- a/README.md
+++ b/README.md
@@ -45,7 +45,8 @@ see our [guidelines for contributing](CONTRIBUTING.md).
 Jitsi Meet provides a very flexible way of embedding in external applications by using the [Jitsi Meet API](doc/api.md).
 
 ## Security
-WebRTC does not provide a way of conducting multi-party conversations with end-to-end encryption. 
+
+WebRTC does not (yet) provide a way of conducting multi-party conversations with end-to-end encryption. 
 Unless you consistently compare DTLS fingerprints with your peers vocally, the same goes for one-to-one calls.
 As a result, your stream is encrypted on the network but decrypted on the machine that hosts the bridge when using Jitsi Meet.
 
@@ -57,6 +58,14 @@ Jitsi Meet in terms of security.
 The [meet.jit.si](https://meet.jit.si) service is maintained by the Jitsi team
 at [8x8](https://8x8.com).
 
+## Security issues
+
+We take security very seriously and develop all Jitsi projects to be secure and safe.
+
+If you find (or simply suspect) a security issue in any of the Jitsi projects, please send us an email to security@jitsi.org.
+
+**We encourage responsible disclosure for the sake of our users, so please reach out before posting in a public space.**
+
 ## Acknowledgements
 
 Jitsi Meet started out as a sample conferencing application using Jitsi Videobridge. It was originally developed by ESTOS' developer Philipp Hancke who then contributed it to the community where development continues with joint forces!