From be079843132408da1c3bf04fd6ebdd73da899cf0 Mon Sep 17 00:00:00 2001
From: Erik Demaine <edemaine@mit.edu>
Date: Mon, 17 Oct 2022 17:52:49 -0400
Subject: [PATCH] docs: New security reporting policy (#3723)

---
 docs/security.md | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/docs/security.md b/docs/security.md
index ac714b11..b63546cc 100644
--- a/docs/security.md
+++ b/docs/security.md
@@ -18,4 +18,11 @@ with untrusted inputs; refer to [Options](options.md) for more details.
 The error message thrown by KaTeX may contain unescaped LaTeX source code.
 See [Handling Errors](error.md) for more details.
 
-> If you discovered a security issue, please let us know via https://hackerone.com/khanacademy
+## Reporting a Vulnerability
+
+If you have discovered a potential security issue with KaTeX:
+
+1. Please report the issue privately by emailing [katex-security@mit.edu](mailto:katex-security@mit.edu).
+2. We will create a [GitHub Security Advisory](https://docs.github.com/en/code-security/repository-security-advisories/about-github-security-advisories-for-repositories) and (if desired) invite you as a collaborator for further discussion about the vulnerability and how to fix them. Please let us know your GitHub.com username so that we can add you.
+3. We will evaluate the vulnerability and, if necessary, release a fix and security advisory. We will credit you in the report.
+4. Please do not disclose the vulnerability publicly until after a fix has been released.