feat(docs): describe how to report vulnerabilities (ethereum#848)

README.md

@@ -176,6 +176,8 @@ If you encounter issues during the installation process, please refer to the [In
 
 Contributions and feedback are welcome. Please see the [online documentation](https://ethereum.github.io/execution-spec-tests/writing_tests/) for this repository's coding standards and help on implementing new tests.
 
+Care is required when adding PRs or issues for functionality that is live on Ethereum mainnet, please refer to the [Security Policy](SECURITY.md) for more information about reporting vulnerabilities and eligibility for the [bug bounty program](https://bounty.ethereum.org).
+
 ## License
 
 This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.

SECURITY.md

@@ -0,0 +1,9 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+- **Please do not create a PR with a vulnerability visible.**
+
+- **Please do not file a public ticket mentioning the vulnerability.**
+
+To find out how to disclose a vulnerability in Ethereum visit [https://bounty.ethereum.org](https://bounty.ethereum.org) or email [email protected].

docs/index.md

@@ -86,3 +86,10 @@ The motivation to implement test cases in [ethereum/execution-spec-tests](https:
 
 !!! success "Contributing"
     Contributions via [PR](https://github.com/ethereum/execution-spec-tests/pulls) are welcome!
+
+!!! bug "Reporting a Vulnerability"
+
+    Care is required when adding PRs or issues for functionality that is live on Ethereum mainnet. Please report vulnerabilities and verify bounty eligibility via the [bug bounty program](https://bounty.ethereum.org).
+
+    - **Please do not create a PR with a vulnerability visible.**
+    - **Please do not file a public ticket mentioning the vulnerability.**