Add security policy.

SECURITY.md

@@ -0,0 +1,28 @@
+# Sifchain's Security Policy
+
+Sifchain looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.  We are a public open source, decentralized blockchain and omni-chain DEX where most information is publicly queryable to the entire internet.  Our primary concern is any vulnerability where an attacker can siphon assets from our users in an unintended way.  Secondarily, any vulnerability that could affect or compromise the availability or performance of our blockchain.  Any issues beyond that will be considered Low severity at best.
+
+## Responsible Disclosure
+
+For all security related issues refer to our [Bug Bounty Program](https://hackerone.com/sifchain). **Do not open up a GitHub issue if the bug is a security vulnerability**
+
+**Ensure the bug was not already reported** by searching on GitHub under [Issues](https://github.com/Sifchain/sifnode/issues).
+
+## Vulnerability Handling
+
+### Response Time
+
+Sifchain will make a best effort to meet the following response times for reported vulnerabilities:
+
+* Time to first response (from report submit) - 2 days
+* Time to triage (from report submit) - 3 - 5 days
+* Time to bounty (from triage) - 3 - 5 days
+
+We’ll try to keep you informed about our progress throughout the process.
+
+### Disclosure Policy
+
+* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).
+* Public disclosure of a vulnerability makes it ineligible for a bounty. If the user reports the vulnerability to other security teams (e.g. Ethereum or Cosmos) but reports to Sifchain with considerable delay, then Sifchain may reduce or cancel the bounty.
+
+For more information check Sifchain bounty program policy at [HackerOne](https://hackerone.com/sifchain)