security contact

.github/ISSUE_TEMPLATE.md

@@ -3,6 +3,7 @@ Frequently Asked Questions: https://github.com/epoberezkin/ajv/blob/master/FAQ.m
 Please provide all info and reduce your schema and data to the smallest possible size.
 
 This template is for bug or error reports. For other issues please use:
+- security vulnerability: https://tidelift.com/security)
 - a new feature/improvement: http://epoberezkin.github.io/ajv/contribute.html#changes
 - browser/compatibility issues: http://epoberezkin.github.io/ajv/contribute.html#compatibility
 - JSON-Schema standard: http://epoberezkin.github.io/ajv/contribute.html#json-schema

CONTRIBUTING.md

@@ -5,6 +5,7 @@ Thank you for your help making Ajv better! Every contribution is appreciated. If
 - [Documentation](#documentation)
 - [Issues](#issues)
   - [Bug reports](#bug-reports)
+  - [Security vulnerabilities](#security-vulnerabilities)
   - [Change proposals](#changes)
   - [Browser and compatibility issues](#compatibility)
   - [Installation and dependency issues](#installation)
@@ -44,6 +45,15 @@ Please include the link to the working code sample at Runkit.com (please clone h
 [Create bug report](https://github.com/epoberezkin/ajv/issues/new?template=bug-or-error-report.md).
 
 
+#### Security vulnerabilities
+
+To report a security vulnerability, please use the
+[Tidelift security contact](https://tidelift.com/security).
+Tidelift will coordinate the fix and disclosure.
+
+Please do NOT report security vulnerability via GitHub issues.
+
+
 #### <a name="changes"></a>Change proposals
 
 [Create a proposal](https://github.com/epoberezkin/ajv/issues/new?template=change.md) for a new feature, option or some other improvement.

README.md

@@ -53,7 +53,11 @@ ajv.addMetaSchema(require('ajv/lib/refs/json-schema-draft-04.json'));
   - [Defining custom keywords](#defining-custom-keywords)
   - [Asynchronous schema compilation](#asynchronous-schema-compilation)
   - [Asynchronous validation](#asynchronous-validation)
-  - [Security considerations](#security-considerations)
+- [Security considerations](#security-considerations)
+  - [Security contact](#security-contact)
+  - [Untrusted schemas](#untrusted-schemas)
+  - [Circular references in objects](#circular-references-in-javascript-objects)
+  - [Trusted schemas](#security-risks-of-trusted-schemas)
 - Modifying data during validation
   - [Filtering data](#filtering-data)
   - [Assigning defaults](#assigning-defaults)
@@ -611,6 +615,13 @@ See [Options](#options).
 JSON Schema, if properly used, can replace data sanitisation. It doesn't replace other API security considerations. It also introduces additional security aspects to consider.
 
 
+##### Security contact
+
+To report a security vulnerability, please use the
+[Tidelift security contact](https://tidelift.com/security).
+Tidelift will coordinate the fix and disclosure. Please do NOT report security vulnerability via GitHub issues.
+
+
 ##### Untrusted schemas
 
 Ajv treats JSON schemas as trusted as your application code. This security model is based on the most common use case, when the schemas are static and bundled together with the application.