From 2fa057a06ce3b515ef3b1ef5957cd83c736b9648 Mon Sep 17 00:00:00 2001
From: Phillip Webb <pwebb@pivotal.io>
Date: Mon, 21 May 2018 17:07:44 -0700
Subject: [PATCH] Document how to raise security issues

Update contributing documentation and the issue template with
instructions on how to report security vulnerabilities.

Closes gh-12509
---
 .github/ISSUE_TEMPLATE.md | 12 ++++++------
 CONTRIBUTING.adoc         |  8 ++++++++
 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md
index 956db4bd79..19c022f10b 100644
--- a/.github/ISSUE_TEMPLATE.md
+++ b/.github/ISSUE_TEMPLATE.md
@@ -1,20 +1,20 @@
 <!--
 Thanks for raising a Spring Boot issue. What sort of issue are you raising?
 
-Question
-
+❓Question
 Please ask questions about how to use something, or to understand why something isn't
 working as you expect it to, on Stack Overflow using the spring-boot tag.
 
-Bug report
-
+🐞 Bug report
 Please provide details of the problem, including the version of Spring Boot that you
 are using. If possible, please provide a test case or sample application that reproduces
 the problem. This makes it much easier for us to diagnose the problem and to verify that
 we have fixed it.
 
-Enhancement
+🚨 Security Vulnerability
+STOP!! Please don't raise security vulnerabilities here. Head over to https://pivotal.io/security to learn how to disclose them responsibly.
 
+🎁 Enhancement
 Please start by describing the problem that you are trying to solve. There may already
 be a solution, or there may be a way to solve it that you hadn't considered.
--->
\ No newline at end of file
+-->
diff --git a/CONTRIBUTING.adoc b/CONTRIBUTING.adoc
index 846566bce1..e80dddd0cf 100755
--- a/CONTRIBUTING.adoc
+++ b/CONTRIBUTING.adoc
@@ -25,6 +25,14 @@ problem.
 
 
 
+== Reporting Security Vulnerabilities
+If you think you have found a security vulnerability in Spring Boot please *DO NOT*
+disclose it publicly until we've had a chance to fix it. Please don't report security
+vulnerabilities using GitHub issues, instead head over to https://pivotal.io/security and
+learn how to disclose them responsibly.
+
+
+
 == Sign the Contributor License Agreement
 Before we accept a non-trivial patch or pull request we will need you to
 https://cla.pivotal.io/sign/spring[sign the Contributor License Agreement].