Update SECURITY.md

Co-authored-by: Greg Kurz <groug@kaod.org>

SECURITY.md

@@ -6,14 +6,16 @@ Kata Containers is a **rolling-release** project: every monthly release replaces
 
 ## Reporting a Vulnerability
 
-1. **Private first.**  
+* **Private first.**  
    Do **not** open a public GitHub issue or pull request.
 
-2. **Use the repository Security tab.**  
-   • Click **“Security ➜ Report a vulnerability.”**  
-   • This creates a private, access-restricted issue visible only to Kata maintainers and designated security champions.
+* **Use the offical Github documentation on how to report a vulnerability.**
+   [Creating a repository security advisory](https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory#creating-a-security-advisory)
+
+### What to Expect
+
+Once you've reported a vulnerability, here's what you can expect from our security response process. We follow OpenSSF guidelines for response timing:
 
-3. **Response targets (OpenSSF guidelines).**  
 | Action | Target time | Notes |
 | ------ | ----------- | ----- |
 | Initial maintainer response | **≤ 14 calendar days** | Acknowledge receipt and begin triage. |
@@ -26,7 +28,7 @@ Kata Containers is a **rolling-release** project: every monthly release replaces
 
 | Release | First published | Security-fix window |
 |---------|-----------------|---------------------|
-| **Latest monthly release** | see `git tag -l` | Actively maintained |
+| **Latest monthly release** | see `git tag --sort=-creatordate \| head -n 1` | Actively maintained |
 | Any prior release | — | **Unsupported** – please upgrade |
 
 > **Why no backports?**  
@@ -38,10 +40,10 @@ Kata Containers is a **rolling-release** project: every monthly release replaces
 
 1. We develop the fix on a private branch.  
 2. Once validated, we coordinate embargo dates with downstream consumers when appropriate.  
-3. The fix ships in **either**:
-   * A point release (e.g., `v3.18.1`) if the vulnerability affects only the current series, **or**
-   * The next regular monthly release (e.g., `v3.19`) when impact is moderate and waiting does not materially increase risk.
-4. After the fix is public, we request a CVE ID (if not already issued) and publish details.
+3. We request a CVE ID from MITRE (or another CNA) if one hasn't already been assigned.
+4. The fix and vulnerability details are published together in **either**:
+   * Common: The next regular monthly release (e.g., `v3.19`) when impact is moderate and waiting does not materially increase risk, **or**
+   * Exception: A point release (e.g., `v3.18.1`) if the vulnerability affects only the current series.
 
 ---
 
@@ -64,7 +66,7 @@ Kata Containers is a **rolling-release** project: every monthly release replaces
 A: No. Upgrade to the latest monthly release.
 
 **Q: Can I get early access to embargoed fixes?**  
-A: Only project members under the disclosure agreement (see [SECURITY_CONTACTS](https://kata-containers/kata-containers/SECURITY_CONTACTS)) receive advance patches.
+A: Only project members under the disclosure agreement (see [SECURITY_CONTACTS](SECURITY_CONTACTS)) receive advance patches.
 
 **Q: Where can I discuss the vulnerability once it is public?**  
 A: Open/continue a GitHub issue **after** the advisory is published, or use `#kata-containers` on Slack with a link to the advisory.

SECURITY_CONTACTS

@@ -1,9 +1,13 @@
+# Copyright (c) 2025 Kata Containers Authors
+#
+# SPDX-License-Identifier: Apache-2.0
+#
 # Defined below are the security contacts for this repo.
 #
 # They are the contact point for the Product Security Committee to reach out
 # to for triaging and handling of incoming issues.
 #
 # DO NOT REPORT SECURITY VULNERABILITIES DIRECTLY TO THESE NAMES, FOLLOW THE
-# INSTRUCTIONS AT hhttps://github.com/kata-containers/kata-containers/security
+# INSTRUCTIONS AT [SECURITY.md](SECURITY.md)
 
 @kata-containers/architecture-committee