The project MUST publish the process for reporting vulnerabilities on the project site.

[SteveLasker]

From the OpenSSF Best Practice requirements:

1. The project MUST publish the process for reporting vulnerabilities on the project site. (URL required)
2. If private vulnerability reports are supported, the project MUST include how to send the information in a way that is kept private.

Example: https://github.com/helm/community/blob/main/SECURITY.md

[TerryHowe]

Need to create a SECURITY.md file for each repo pointing to the documenation.

[TerryHowe]

oras-project/oras-credentials-go#90
#55
#55
oras-project/oras-py#104

[TerryHowe]

Done