Explicit SECURITY.md that reflects Kata’s rolling-release model
(monthly cadence, no long-term branches) and sets clear expectations
for reporters and downstream users.
With the SECURITY.md in place we need also the SECURITY_CONTACTS
- Add alternative reporting method (email) for non-GitHub users
- Add section for downstream distributions and vendors with early notification details
- Clarify that timelines are independent objectives, not sequential steps
- Reorder disclosure process to emphasize patch releases are exceptions
- Update git tag command in version table (remove unnecessary pipe)
- Expand FAQ with downstream distribution and non-GitHub reporter questions
- Update timestamp to reflect current changes (2026-04-01)
- Update SECURITY_CONTACTS with email contact and downstream notification info
- Clarify CVE assignment process through GitHub
Signed-off-by: Anastassios Nanos <ananos@nubificus.co.uk>
Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
Signed-off-by: stevenhorsman <steven@uk.ibm.com>