add Dependencies policy and Security policy (#934)

Signed-off-by: yangshiqi <[email protected]>

Author: yangshiqi

DEPENDENCY.md

@@ -0,0 +1,46 @@
+# Environment Dependencies Policy
+
+## Purpose
+
+This policy establishes guidelines for managing third-party packages in the HAMi repository. Its goal is to ensure that all dependencies are secure, up-to-date, and necessary for the project’s functionality.
+
+## Scope
+
+This policy applies to all maintainers of the HAMi repository and governs all third-party packages incorporated into the project.
+
+## Policy
+
+Maintainers must adhere to the following when incorporating third-party packages:
+
+- **Necessity:** Include only those packages that are essential to the project’s functionality.
+- **Latest Stable Versions:** Use the latest stable releases whenever possible.
+- **Security:** Avoid packages with known security vulnerabilities.
+- **Version Pinning:** Lock all dependencies to specific versions to maintain consistency.
+- **Dependency Management:** Utilize an appropriate dependency management tool (e.g., Go modules, npm, pip) to handle third-party packages.
+- **Testing:** Ensure that any new dependency passes all automated tests before integration.
+
+## Procedure
+
+When adding a new third-party package, maintainers should:
+
+1. **Assess Need:** Determine whether the package is truly necessary for the project.
+2. **Conduct Research:** Review the package’s maintenance status and reputation within the community.
+3. **Select Version:** Opt for the latest stable version that meets the project’s requirements.
+4. **Pin the Version:** Explicitly pin the dependency to the chosen version within the repository.
+5. **Update Documentation:** Revise the project documentation to include details about the new dependency.
+
+## Archive/Deprecation
+
+If a third-party package becomes deprecated or discontinued, maintainers must promptly identify and integrate a suitable alternative while updating the documentation accordingly.
+
+## Enforcement
+
+Compliance with this policy is monitored by the HAMi maintainers. All dependency-related changes are subject to peer review to ensure adherence to these guidelines.
+
+## Exceptions
+
+Exceptions to this policy may be granted by the HAMi project lead on a case-by-case basis. Any exceptions must be documented with a clear rationale.
+
+## Credits
+
+This policy has been adapted and optimized based on guidelines from the [Kubescape Community](https://github.com/kubescape/kubescape/blob/master/docs/environment-dependencies-policy.md).

SECURITY.md

@@ -0,0 +1,40 @@
+# Security Policy
+
+## Supported Versions
+
+The following table outlines which versions of HAMi receive security updates:
+
+| Version | Supported          |
+|---------|--------------------|
+| 2.5.x   | ✅ Security fixes |
+| 2.4.x   | ✅ Security fixes |
+| before 2.4.0   | ❌ No longer supported |
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in HAMi, we strongly encourage you to report it responsibly. Please **do not** disclose security vulnerabilities publicly without following our responsible disclosure process.
+
+### How to Report
+- **GitHub Security Advisories**: [submit a private vulnerability report via GitHub](https://github.com/Project-HAMi/HAMi/security/advisories/new).
+- **Bug Bounty**: Currently, HAMi does not offer a public bug bounty program.
+
+### Information to Include
+When reporting a security issue, please include:
+- A clear and concise description of the vulnerability.
+- Steps to reproduce the issue.
+- Any potential attack scenarios or security impact.
+- Suggested mitigations or fixes, if available.
+
+## Response Process
+
+We follow a structured process to handle security reports:
+
+Response times could be affected by weekends, holidays, breaks or time zone differences. That said, the maintainers will endeavour to reply as soon as possible, ideally within 5 working days.
+
+
+## Third-Party Dependencies
+
+HAMi relies on third-party libraries and containers. We monitor dependencies and promptly apply security patches.
+
+
+Thank you for helping us make HAMi more secure! 🔒