From a36448ffcdda1aad60f129350745507c86b33163 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= <ulisesgascongonzalez@gmail.com>
Date: Mon, 15 Sep 2025 14:33:37 +0200
Subject: [PATCH] [security] add security escalation policy

---
 .github/SECURITY.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.github/SECURITY.md b/.github/SECURITY.md
index 3a2ccda..83f7041 100644
--- a/.github/SECURITY.md
+++ b/.github/SECURITY.md
@@ -2,6 +2,13 @@
 
 Please file a private vulnerability report via GitHub, email [@ljharb](https://github.com/ljharb), or see https://tidelift.com/security if you have a potential security vulnerability to report.
 
+## Escalation
+
+If you do not receive an acknowledgement of your report within 6 business days, or if you cannot find a private security contact for the project, you may escalate to the OpenJS Foundation CNA at `security@lists.openjsf.org`.
+
+If the project acknowledges your report but does not provide any further response or engagement within 14 days, escalation is also appropriate.
+
+
 ## OpenSSF CII Best Practices
 
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/684/badge)](https://bestpractices.coreinfrastructure.org/projects/684)