From 7d2a44226ae428e4470fd4221f6a95ccdda57ff2 Mon Sep 17 00:00:00 2001
From: Cameron Dixon <cameron.dixon@cisa.dhs.gov>
Date: Mon, 29 May 2023 07:39:03 -0400
Subject: [PATCH 1/2] Create SECURITY.md

add more relevant blurb than cisagov default
---
 .github/SECURITY.md | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 .github/SECURITY.md

diff --git a/.github/SECURITY.md b/.github/SECURITY.md
new file mode 100644
index 000000000..46b7e500f
--- /dev/null
+++ b/.github/SECURITY.md
@@ -0,0 +1,3 @@
+If you've found a security or privacy issue on the .gov top-level domain infrastructure, email dotgov@cisa.dhs.gov.
+
+If you see a security or privacy issue on a .gov domain, check [current-full.csv]([url](https://github.com/cisagov/dotgov-data/blob/main/current-full.csv)) or whois (same data) to see if the domain has a security contact. Most [federal (executive branch) agencies]([url](https://github.com/cisagov/vdp-in-fceb/)) also have a vulnerability disclosure policy. If you are unable to find a contact or receive no response from the security contact, you may email dotgov@cisa.dhs.gov.

From 7563cff1c04715ddc9abcc408060d1efb1e5f7b9 Mon Sep 17 00:00:00 2001
From: Cameron Dixon <cameron.dixon@cisa.dhs.gov>
Date: Tue, 30 May 2023 11:30:44 -0400
Subject: [PATCH 2/2] revise SECURITY.md

Revise and reformat, move VDP link lower in the doc
---
 .github/SECURITY.md | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/SECURITY.md b/.github/SECURITY.md
index 46b7e500f..fc27feff3 100644
--- a/.github/SECURITY.md
+++ b/.github/SECURITY.md
@@ -1,3 +1,5 @@
-If you've found a security or privacy issue on the .gov top-level domain infrastructure, email dotgov@cisa.dhs.gov.
+* If you've found a security or privacy issue on the **.gov top-level domain infrastructure**, submit it to our [vulnerabilty disclosure form](https://forms.office.com/Pages/ResponsePage.aspx?id=bOfNPG2UEkq7evydCEI1SqHke9Gh6wJEl3kQ5EjWUKlUMTZZS1lBVkxHUzZURFpLTkE2NEJFVlhVRi4u) or email dotgov@cisa.dhs.gov.
+* If you see a security or privacy issue on **an individual .gov domain**, check [current-full.csv](https://flatgithub.com/cisagov/dotgov-data/blob/main/?filename=current-full.csv) or [Whois](https://domains.dotgov.gov/dotgov-web/registration/whois.xhtml) (same data) to check whether the domain has a security contact to report your finding directly. You are welcome to Cc dotgov@cisa.dhs.gov on the email.
+  * If you are unable to find a contact or receive no response from the security contact, email dotgov@cisa.dhs.gov.
 
-If you see a security or privacy issue on a .gov domain, check [current-full.csv]([url](https://github.com/cisagov/dotgov-data/blob/main/current-full.csv)) or whois (same data) to see if the domain has a security contact. Most [federal (executive branch) agencies]([url](https://github.com/cisagov/vdp-in-fceb/)) also have a vulnerability disclosure policy. If you are unable to find a contact or receive no response from the security contact, you may email dotgov@cisa.dhs.gov.
+Note that most federal (executive branch) agencies maintain a [vulnerability disclosure policy](https://github.com/cisagov/vdp-in-fceb/).