From d42e3f1e7fbdf23e3e8b729c5ba08dbf89285088 Mon Sep 17 00:00:00 2001
From: Brian de Alwis <bsd@acm.org>
Date: Fri, 1 Aug 2025 12:12:32 -0400
Subject: [PATCH] doc: use standard Google security policy for GitHub projects
 (#5062)

---
 README.md   | 4 ++++
 SECURITY.md | 8 ++++++++
 2 files changed, 12 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/README.md b/README.md
index 3e2db940..41612af3 100644
--- a/README.md
+++ b/README.md
@@ -209,3 +209,7 @@ Head over to the [Uninstall](docs/Uninstall.md) guide for uninstallation instruc
 ## Terms of Service and Privacy Notice
 
 For details on the terms of service and privacy notice applicable to your use of Gemini CLI, see the [Terms of Service and Privacy Notice](./docs/tos-privacy.md).
+
+## Security Disclosures
+
+Please see our [security disclosure process](SECURITY.md). All [security advisories](https://github.com/google-gemini/gemini-cli/security/advisories) are managed on Github.
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..226310c2
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,8 @@
+# Reporting Security Issues
+
+To report a security issue, please use [https://g.co/vulnz](https://g.co/vulnz).
+We use g.co/vulnz for our intake, and do coordination and disclosure here on
+GitHub (including using GitHub Security Advisory). The Google Security Team will
+respond within 5 working days of your report on g.co/vulnz.
+
+[GitHub Security Advisory]: https://github.com/google-gemini/gemini-cli/security/advisories