From c7dfb12630b907399799c394aaad9eb4d632847a Mon Sep 17 00:00:00 2001
From: danceratopz <danceratopz@gmail.com>
Date: Tue, 1 Oct 2024 16:47:00 +0200
Subject: [PATCH] feat(docs): describe how to report vulnerabilities (#848)

---
 README.md     | 2 ++
 SECURITY.md   | 9 +++++++++
 docs/index.md | 7 +++++++
 3 files changed, 18 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/README.md b/README.md
index d1977af4f6..5ccb443846 100644
--- a/README.md
+++ b/README.md
@@ -176,6 +176,8 @@ If you encounter issues during the installation process, please refer to the [In
 
 Contributions and feedback are welcome. Please see the [online documentation](https://ethereum.github.io/execution-spec-tests/writing_tests/) for this repository's coding standards and help on implementing new tests.
 
+Care is required when adding PRs or issues for functionality that is live on Ethereum mainnet, please refer to the [Security Policy](SECURITY.md) for more information about reporting vulnerabilities and eligibility for the [bug bounty program](https://bounty.ethereum.org).
+
 ## License
 
 This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000000..15eb41a778
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,9 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+- **Please do not create a PR with a vulnerability visible.**
+
+- **Please do not file a public ticket mentioning the vulnerability.**
+
+To find out how to disclose a vulnerability in Ethereum visit [https://bounty.ethereum.org](https://bounty.ethereum.org) or email bounty@ethereum.org.
diff --git a/docs/index.md b/docs/index.md
index e4c4479f34..89812f8c16 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -86,3 +86,10 @@ The motivation to implement test cases in [ethereum/execution-spec-tests](https:
 
 !!! success "Contributing"
     Contributions via [PR](https://github.com/ethereum/execution-spec-tests/pulls) are welcome!
+
+!!! bug "Reporting a Vulnerability"
+
+    Care is required when adding PRs or issues for functionality that is live on Ethereum mainnet. Please report vulnerabilities and verify bounty eligibility via the [bug bounty program](https://bounty.ethereum.org).
+
+    - **Please do not create a PR with a vulnerability visible.**
+    - **Please do not file a public ticket mentioning the vulnerability.**