Add SECURITY.md file and update references to CVD policy

Signed-off-by: Michael Munday <[email protected]>

CONTRIBUTING.md

@@ -43,6 +43,9 @@ involved.
   first.
 * If a relevant bug or tracking issue exists, reference it in the pull request
   and commits.
+* Do not report security vulnerabilities through public GitHub issues or pull
+  requests. For instructions on how to report vulnerabilities, please consult
+  SECURITY.md.
 
 Please see [Contributing to OpenTitan](https://opentitan.org/book/doc/contributing)
 for more general guidance.

SECURITY.md

@@ -0,0 +1,5 @@
+If you have discovered a security vulnerability, we appreciate your help by disclosing it to us in a responsible manner.
+Please refer to https://opentitan.org/cvd-policy for a description of our disclosure process.
+
+List of Fingerprints for current selection of authentic PGP keys to be used for encrypting communication of vulnerabilities to OpenTitan:
+* 5C74 B08E 288D 5FD6 69BE  218D 39CD 4C54 4C96 B543

doc/contributing/README.md

@@ -41,9 +41,11 @@ For example,
 * to ensure responsible disclosure of vulnerabilities,
 * or to discuss the security impact of new features or proposed changes to an existing feature.
 
-If you believe you have found a security issue or intend to work on potentially security sensitive matters, please first reach out to our experienced security team at [email protected] before starting a public discussion.
+If you intend to work on potentially security sensitive matters, please first reach out to our experienced security team at [email protected] before starting a public discussion.
 That will enable us to engage successfully without creating undue risk to the project or its consumers.
 
+Please refer to https://opentitan.org/cvd-policy for a description of our disclosure process.
+
 ## Contributing code
 
 The information below aims at helping you get involved in the OpenTitan project by guiding you through our process of preparing your contribution and getting it integrated.