Align with Trusted Firmware security policy

Align the project security policy with the Trusted Firmware security policy
at: https://www.trustedfirmware.org/.well-known/security.txt

Signed-off-by: Dan Handley <dan.handley@arm.com>

Author: danh-arm

docs/SECURITY.md

@@ -1,56 +1,31 @@
 # Project security policy
 
-The MCUboot team takes security, vulnerabilities, and weaknesses
-seriously.
+The MCUboot project uses the [TrustedFirmware.org security
+policy](https://www.trustedfirmware.org/.well-known/security.txt).
 
-## Reporting security issues
+## Reporting security vulnerabilities
 
-The preferred way to report security issues with MCUboot is via the "Report a
-security vulnerability" button on the main [security
-page](https://github.com/mcu-tools/mcuboot/security).
+The preferred way to report a security vulnerability with MCUboot is via the
+"Report a vulnerability" button on the main [security page
+](https://github.com/mcu-tools/mcuboot/security).
 
-You can also directly contact the following maintainers of the project:
-
-- David Brown: davidb@davidb.org or david.brown@linaro.org
-- Fabio Utzig: utzig@apache.org
-
-If you wish to send an encrypted email, you may use these PGP keys:
-
-```
-    pub   rsa4096 2011-10-14 [SC]
-          DAFD760825AE2636AEA9CB19E6BA9F5C5E54DF82
-    uid           [ultimate] David Brown <davidb@davidb.org>
-    uid           [ultimate] David Brown <david.brown@linaro.org>
-    sub   rsa4096 2011-10-14 [E]
-```
-
-and
-
-```
-    pub   rsa4096 2017-07-28 [SC]
-          126087C7E725625BC7E89CC7537097EDFD4A7339
-    uid           [ unknown] Fabio Utzig <utzig@apache.org>
-    uid           [ unknown] Fabio Utzig <utzig@utzig.org>
-    sub   rsa4096 2017-07-28 [E]
-```
-
-Please include the word "SECURITY" as well as "MCUboot" in the subject
+You can also email the MCUboot security team at
+mcuboot-security@lists.trustedfirmware.org as per the TrustedFirmware.org
+policy. Please include the word "SECURITY" as well as "MCUboot" in the subject
 of any message.
 
-We will make our best effort to respond in a timely manner. Most
-vulnerabilities found within published code will undergo an embargo of
-90 days to allow time fixes to be developed and deployed.
-
-## Vulnerability advisories
+## Disclosure
 
-Vulnerability reports and published fixes will be reported as follows:
+Any confirmed security vulnerability will be disclosed to Trusted Stakeholders
+as per the TrustedFirmware.org policy.
 
-- Issues will be entered into MCUboot's [security advisory
-  system](https://github.com/mcu-tools/mcuboot/security/advisories) on GitHub, with
-  the interested parties (including the reporter) added as viewers.
+A draft advisory and vulnerability fix will be created in MCUboot's [security
+advisory system](https://github.com/mcu-tools/mcuboot/security/advisories) on
+GitHub, with any interested Trusted Stakeholders and the reporter added as
+viewers.
 
-- The release notes will contain a reference to any allocated CVE(s).
+On the public disclosure date, the security advisory page will be made public,
+and the public CVE database will be updated with all relevant information.
 
-- When the embargo is lifted, the security advisory page will be made
-  public, and the public CVE database will be updated with all
-  relevant information.
+The release notes of the next MCUboot release will refer to any allocated
+CVE(s).

docs/release-notes.d/align-security-policy.md

@@ -0,0 +1,2 @@
+- Aligned the project security policy with the [TrustedFirmware.org security
+policy](https://www.trustedfirmware.org/.well-known/security.txt).