Create SECURITY.md

[sarayourfriend]

Changes proposed in this Pull Request

• Add a security policy

Note: I just took a stab at copying Jetpack's policy from here: https://raw.githubusercontent.com/Automattic/jetpack/master/SECURITY.md

I think we want to add a blurb about WP Desktop, so I've left a section open for that. @nsakaimbo could you help with that part?

Fixes #33385

[matticbot]

Test live: https://calypso.live/?branch=add/security-policy

[matticbot]

Here is how your PR affects size of JS and CSS bundles shipped to the user's browser:

App Entrypoints (~91 bytes added 📈 [gzipped])

name                   parsed_size           gzip_size
entry-main                  +493 B  (+0.0%)      +91 B  (+0.0%)
entry-login                 +200 B  (+0.0%)      +34 B  (+0.0%)
entry-gutenboarding         +200 B  (+0.0%)      +34 B  (+0.0%)
entry-domains-landing       +200 B  (+0.0%)      +34 B  (+0.0%)

Common code that is always downloaded and parsed every time the app is loaded, no matter which route is used.

Sections (~3891 bytes removed 📉 [gzipped])

name                parsed_size           gzip_size
jetpack-connect          +255 B  (+0.0%)     +275 B  (+0.1%)
google-my-business       +183 B  (+0.1%)    +1027 B  (+1.1%)
marketing                -126 B  (-0.0%)     +692 B  (+0.4%)
plans                    +103 B  (+0.0%)      +18 B  (+0.0%)
devdocs                   -31 B  (-0.0%)       -5 B  (-0.0%)

Sections contain code specific for a given set of routes. Is downloaded and parsed only when a particular route is navigated to.

Async-loaded Components (~42 bytes removed 📉 [gzipped])

name                                            parsed_size           gzip_size
async-load-design-wordpress-components-gallery        -31 B  (-0.0%)      -42 B  (-0.0%)

React components that are loaded lazily, when a certain part of UI is displayed for the first time.

Legend

What is parsed and gzip size?

Parsed Size: Uncompressed size of the JS and CSS files. This much code needs to be parsed and stored in memory.
Gzip Size: Compressed size of the JS and CSS files. This much data needs to be downloaded over network.

Generated by performance advisor bot at iscalypsofastyet.com.

[nsakaimbo]

Thanks for the ping, @saramarcondes! I'm not too well-versed here, but my educated guess is we'd probably want to defer to Automattic's security policy as well. @belcherj Any thoughts here? Or perhaps we can borrow from the language used by Simplenote?

Quick question:

It says Automattic's Security Policy is located at https://automattic.com/security/ - however that link doesn't appear to be a policy? (This page only states resources for support and to report vulnerabilities - not exactly policy documentation?)

[tyxla]

Thanks for this one 👍

Looks good to me in general. Left some thoughts.

[sarayourfriend]

@nsakaimbo I've updated the section about WordPress Desktop. Please let me know if it makes sense/is correct.

@tyxla I've updated the document generally by copying the blurb about security from the automattic.com/security page rather than linking to it. I think this makes sense because the relevant aspects of that page (application security) are difficult to immediately locate on the page given the prominence of account security details on it.

[tyxla]

Not much to add 👍 LGTM from my perspective

[sarayourfriend]

Merging, @nsakaimbo if you end up needing to make changes or need help with this just ping us 🙂