Changes required for a Passing grade from OpenSSF Best Practices (#…

…3718)

* Add `SECURITY.md` and `SECURITY_CONTACTS`

Signed by: Randall T. Vasquez <[email protected]>

* Add OpenSFF Best Practices badge

Signed by: Randall T. Vasquez <[email protected]>

Co-authored-by: Matthew Phillips <[email protected]>
Co-authored-by: Nate Moore <[email protected]>

README.md

@@ -55,6 +55,8 @@ Join us on [Discord](https://astro.build/chat) to meet other maintainers. We'll
 | [@astrojs/tailwind](packages/integrations/tailwind)     | [![astro version](https://img.shields.io/npm/v/@astrojs/tailwind.svg?label=%20)](packages/integrations/tailwind/CHANGELOG.md)     |
 | [@astrojs/turbolinks](packages/integrations/turbolinks) | [![astro version](https://img.shields.io/npm/v/@astrojs/turbolinks.svg?label=%20)](packages/integrations/turbolinks/CHANGELOG.md) |
 
+[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/6178/badge)](https://bestpractices.coreinfrastructure.org/projects/6178)
+
 Several official projects are maintained outside of this repo:
 
 | Project                                                             | Repository                                                              |

SECURITY.md

@@ -0,0 +1,22 @@
+# Astro Security
+## Reporting a Vulnerability
+To report a security issue, please email [email protected] with a detailed description of the issue, the steps you took to create the issue, affected versions, and, if known, mitigations for the issue.
+
+Please remember to include everything required for us to reproduce the issue, including but not limited to a publicly accessible git repository and/or StackBlitz repository. All code samples shared with our Security team will only be used to verify and diagnose the issue and will not be publicly shared with anyone outside of Astro's teams. Astro's Security Team members may share information only within the Astro teams on a need-to-know basis to fix the related issue in Astro.
+
+Our Security team will acknowledge receiving your email within 3 working days.
+
+<ins>**If you think you've found a security issue, please DO NOT report, discuss, or describe it on Discord, GitHub, or any other public forum; without prior contact and acknowledgment of Astro's Security team.**<ins>
+
+This project follows a 90 day disclosure timeline.
+
+**_This is detrimental to the safety of all Astro users. No exceptions._**
+
+## Embargo Policy
+ The information members and others receive through participation in this group must not be made public, shared, or even hinted otherwise, except with prior explicit approval (which shall be handled on a case-by-case basis). This holds true until the agreed-upon public disclosure date/time is satisfied.
+
+As a clarifying example, this policy forbids Astro Security members from sharing list information with their employers; unless prior arrangements have been made directly with an employer.
+
+In the unfortunate event that you share the information beyond what is allowed by this policy, you must urgently inform the Astro Security Team of exactly what information leaked and to whom, as well as the steps that will be taken to prevent future leaks.
+
+**Repeated offenses may lead to the removal from the Security or Astro team.**

SECURITY_CONTACTS

@@ -0,0 +1,16 @@
+# Defined below are the security contacts for this repo.
+#
+# They are the contact point for triaging and handling of incoming 
+# Security issues.
+#
+# The below names agree to abide by the
+# [Embargo Policy](https://github.com/withastro/astro/blob/master/SECURITY.md)
+# and will be removed and replaced if they violate that agreement.
+#
+# DO NOT REPORT SECURITY VULNERABILITIES DIRECTLY TO THESE NAMES, FOLLOW THE
+# INSTRUCTIONS AT https://github.com/withastro/astro/blob/master/SECURITY.md
+
+Randall T. Vasquez (@ran-dall)
+Matthew Phillips (@matthewp)
+Nate Moore (@natemoo-re)
+Fred K. Schott (@fks)