Add contribution guidelines for vulnerability reports

2 files changed, 21 insertions, 1 deletions

diff --git a/CONTRIBUTING b/CONTRIBUTING
index 800d7bd21..394fe02ad 100644
--- a/CONTRIBUTING
+++ b/CONTRIBUTING
@@ -20,6 +20,26 @@ There is also an active community of Redis users at Stack Overflow:
 
     http://stackoverflow.com/questions/tagged/redis
 
+# Reporting Security Bugs
+
+*If you are reporting a security bug*, please contact the core team privately
+by emailing redis@redis.io. Your report will be acknowledged by a core team
+member and once the report has been reviewed you will receive a more detailed
+response including next steps.
+
+If you do not receive a reply you can escalate to the Redis Google Group,
+linked above. Because this group is a public space please do not disclose the
+issue in detail, only say that you are trying to reach the core team for a
+security issue.
+
+Redis follows a responsible disclosure process:
+
+1. Reports are reviewed and analyzed privately
+2. Patches are prepared for supported versions of Redis
+3. Vendor lists are notified with an embargo date to reduce the public impact
+4. We push a fix release and your bug can be posted publicly with credit in
+   release notes and the version history (and our thanks!)
+
 # How to provide a patch for a new feature
 
 1. If it is a major feature or a semantical change, please don't start coding
diff --git a/README.md b/README.md
index 55537e01f..a3c5def9f 100644
--- a/README.md
+++ b/README.md
@@ -203,7 +203,7 @@ of the BSD license that you can find in the [COPYING][1] file included in the Re
 source distribution.
 
 Please see the [CONTRIBUTING][2] file in this source distribution for more
-information.
+information, including details on our process for security bugs/vulnerabilities.
 
 [1]: https://github.com/redis/redis/blob/unstable/COPYING
 [2]: https://github.com/redis/redis/blob/unstable/CONTRIBUTING