APPT-2327 Added SECURITY.md file. (#1638)

SimonHarropNHS · web-flow · commit 28b6fd5c86e7 · 2026-04-24T10:54:04.000+01:00
# Description

Added SECURITY.md file to describe our stance towards the reporting of
vulnerabilities in our public repo

Fixes # (issue)

# Checklist:

- [ ] My work is behind a feature toggle (if appropriate)
- [ ] If my work is behind a feature toggle, I've added a full suite of
tests for both the ON and OFF state
- [ ] The ticket number is in the Pull Request title, with format
"APPT-XXX: My Title Here"
- [ ] I have ran npm tsc / lint (in the future these will be ran
automatically)
- [ ] My code generates no new .NET warnings (in the future these will
be treated as errors)
- [ ] If I've added a new Function, it is disabled in all but one of the
terraform groups (e.g. http_functions)
- [ ] If I've added a new Function, it has both unit and integration
tests. Any request body validators have unit tests also
- [ ] If I've made UI changes, I've added appropriate Playwright and
Jest tests
- [ ] If I've added/updated an end-point, I've added the appropriate
annotations and tested the Swagger documentation reflects the change
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,23 @@
+# Security
+
+We take security and the protection of private data extremely seriously. If you believe you have found a vulnerability or other issue which has compromised or could compromise the security of any of our systems or private data managed by our systems, please do not hesitate to contact us using the method outlined below.
+
+## Table of Contents
+
+- [Security](#security)
+  - [Table of Contents](#table-of-contents)
+  - [Reporting a vulnerability](#reporting-a-vulnerability)
+  - [General Security Enquiries](#general-security-enquiries)
+
+## Reporting a vulnerability
+
+If you believe you have found a security issue in this repository, please report it using GitHub's private vulnerability reporting:
+
+1. [Report a vulnerability](https://github.com/NHSDigital/software-engineering-quality-framework/security/advisories/new)
+2. Provide details of the issue and steps to reproduce
+
+This creates a private channel for discussion and allows us to coordinate a fix before any public disclosure.
+
+## General Security Enquiries
+
+If you have general enquiries regarding our cybersecurity, please reach out to us at [cybersecurity@nhs.net](cybersecurity@nhs.net)
