Create SECURITY.md (#2002)

* Create SECURITY.md
* DRY the documentation
* Add to published documentation

CONTRIBUTING.md

@@ -106,11 +106,7 @@ Issues and PRs are split into two levels of labels, at the higher level:
 
 ## Security
 
-For security inquiries or vulnerability reports, please email
-<security@thoughtbot.com>.
-If you'd like, you can use our [PGP key] when reporting vulnerabilities.
-
-[PGP key]: https://thoughtbot.com/thoughtbot.asc
+See the [security policy](./SECURITY.md).
 
 ## Releasing
 

SECURITY.md

@@ -0,0 +1,14 @@
+# Security Policy
+
+## Supported Versions
+
+Only the the latest version of Administrate is supported at a given time. If you find
+a security issue with an older version, please try updating to the latest version first.
+
+If for some reason you can't update to the latest version, please let us know your reasons
+so that we can have a better understanding of your situation.
+
+## Reporting a Vulnerability
+
+For security inquiries or vulnerability reports, please email security@thoughtbot.com.
+If you'd like, you can use our PGP key when reporting vulnerabilities.

spec/example_app/app/controllers/docs_controller.rb

@@ -9,6 +9,8 @@ def show
       render_page("CONTRIBUTING", "Contributing Guide")
     when "license", "LICENSE"
       render_page("LICENSE", "LICENSE")
+    when "security", "SECURITY"
+      render_page("SECURITY", "Security Policy")
     else
       render_page("docs/#{params[:page]}")
     end

spec/features/documentation_spec.rb

@@ -39,6 +39,18 @@
     expect(page).to have_content("The MIT License (MIT)")
   end
 
+  it "shows the Security Policy in both forms" do
+    visit("/security")
+
+    expect(page).to have_css("div.main h1", text: "Security Policy")
+    expect(page).to have_content("security inquiries")
+
+    visit("/SECURITY.md")
+
+    expect(page).to have_css("div.main h1", text: "Security Policy")
+    expect(page).to have_content("security inquiries")
+  end
+
   it "shows other docs pages" do
     visit("/getting_started")