Add Airship Vulnerability Management Process

This change documents the Airship vulnerability management process.
GitHub issues will redirect users here who intend to report Airship
security vulnerabilities.

Change-Id: I2358be70f4bf6b4ede38537e2b078ffb3e2081e5
Signed-off-by: Drew Walters <andrew.walters@att.com>

doc/source/security/guide.rst

@@ -54,3 +54,4 @@ Airship Security Topics
   template
   haproxy
   ubuntu
+  vulnerabilities

doc/source/security/vulnerabilities.rst

@@ -0,0 +1,70 @@
+..
+      Licensed under the Apache License, Version 2.0 (the "License"); you may
+      not use this file except in compliance with the License. You may obtain
+      a copy of the License at
+
+          http://www.apache.org/licenses/LICENSE-2.0
+
+      Unless required by applicable law or agreed to in writing, software
+      distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+      WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+      License for the specific language governing permissions and limitations
+      under the License.
+
+.. _vulnerabilities:
+
+Airship Security Vulnerability Management
+=========================================
+
+The Airship community is committed to expediently confirming, resolving, and
+disclosing all reported security vulnerabilities. We appreciate your
+cooperation and participation in our vulnerability management process outlined
+below.
+
+Report a Vulnerability
+----------------------
+
+If you discover a vulnerability in an Airship project, please treat the issue
+with a sense of confidentiality and disclose it to the `airship-security
+mailing list`_:
+
+    airship-security@lists.airshipit.org
+
+Additionally, please include any potential fixes, as doing so can expedite the
+disclosure and patching processes.
+
+The Airship Working Committee is the sole subscriber of the `airship-security
+mailing list`_ and monitors it for reported vulnerabilities. The committee
+confirms or rejects reported vulnerabilities in correspondence with the
+vulnerability reporter. In the event that the Airship Working Committee does
+not have the expertise or availability to resolve a reported vulnerability, the
+committee may solicit assistance from outside contributors to better facilitate
+the understanding and resolution of reported security vulnerabilities.
+
+Receive Early Disclosures
+-------------------------
+
+We prefer to disclose confirmed security vulnerabilities as soon as possible.
+While circumstances may not always allow immediate disclosure, vulnerabilities
+may be disclosed over the `airship-embargo-notice mailing list`_ when a fix
+becomes available. The airship-embargo-notice mailing list notifies Airship
+users of confirmed vulnerabilities. If you operate Airship in a production
+environment, we recommend subscribing to the `airship-embargo-notice mailing
+list`_ by contacting the Airship Working Committee. The Airship Working
+Committee evaluates subscription requests on a case-by-case basis.
+
+Receive Public Disclosures
+--------------------------
+
+Within ninety days of the initial vulnerability report, except in unusual
+circumstances, the Airship Working Committee will publicly disclose the
+reported vulnerability and its mitigation over the `airship-announce`_ and
+`airship-discuss`_ mailing lists. If a fix merges before the aforementioned
+ninety day period expires, the Airship Working Committee will instead disclose
+the vulnerability and fix twenty-one days later. We recommend subscribing to
+both mailing lists in order to receive security updates.
+
+.. _airship-security mailing list: http://lists.airshipit.org/cgi-bin/mailman/listinfo/airship-security
+.. _airship-embargo-notice mailing list: http://lists.airshipit.org/cgi-bin/mailman/listinfo/airship-embargo-notice
+.. _airship-announce: http://lists.airshipit.org/cgi-bin/mailman/listinfo/airship-announce
+.. _airship-discuss: http://lists.airshipit.org/cgi-bin/mailman/listinfo/airship-discuss