From 0733a28ec57a395296aa3107aaceb646f1bc7c5c Mon Sep 17 00:00:00 2001
From: Eric Woolsey <ewoolsey@ualberta.ca>
Date: Tue, 5 Nov 2024 08:39:34 -0800
Subject: [PATCH] SECURITY.md

---
 README.md   | 10 ++++++++++
 SECURITY.md | 15 +++++++++++++++
 2 files changed, 25 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/README.md b/README.md
index b2a36c2..06d5c1c 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,13 @@
 # world-id-relay
 
 Service to bridge World ID roots from Ethereum to various Layer 2s
+
+### Running
+
+For a simple configuration example please see the config.stage.toml.
+
+You can run the `world-id-relay` with
+
+```bash
+cargo run -- --config my_config.toml
+```
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..4ee38fa
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,15 @@
+# Report a security issue
+
+The project team welcomes security reports and is committed to providing prompt attention to security issues. Security issues should be reported privately via [remco@wicked.ventures](mailto:remco@wicked.ventures). Security issues should not be reported via the public Github Issue tracker.
+
+## Vulnerability coordination
+
+Remediation of security vulnerabilities is prioritized by the project team. The project team coordinates remediation with third-party project stakeholders via [Github Security Advisories](https://help.github.com/en/github/managing-security-vulnerabilities/about-github-security-advisories). Third-party stakeholders may include the reporter of the issue, affected direct or indirect users of this project, and maintainers of upstream dependencies if applicable.
+
+Downstream project maintainers and users can request participation in coordination of applicable security issues by sending your contact email address, Github username(s) and any other salient information to [remco@wicked.ventures](mailto:remco@wicked.ventures). Participation in security issue coordination processes is at the discretion of the project team.
+
+## Security advisories
+
+The project team is committed to transparency in the security issue disclosure process. The project team announces security issues via [project Github Release notes](https://github.com/Recmo/rust-app-template/releases) and the [RustSec advisory database](https://github.com/RustSec/advisory-db) (i.e. `cargo-audit`).
+
+<!-- Based on https://github.com/tokio-rs/tokio/blob/tokio-1.13.0/SECURITY.md -->