CONTRIBUTING.md: Vulnerability reporting instructions and criteria

This is long overdue! (see #25) It provides basic instructions for
filing advisories against the database, and also some guidelines
for what types of vulnerabilities qualify.

CONTRIBUTING.md

@@ -0,0 +1,34 @@
+# Reporting Vulnerabilities
+
+To add an advisory to the RustSec database, open a [Pull Request] against
+this repository containing the new advisory:
+
+1. Create a file named `RUSTSEC-0000-0000.toml` in the `crates/<yourcratename>`
+   subdirectory of this repository (you may need to create it if it doesn't exist)
+2. Copy and paste the [TOML advisory template] from the README.md file in this repo.
+   Delete the comments and additional whitespace, and fill it out with the
+   details of the advisory.
+3. Open a [Pull Request]. After being reviewed your advisory will be assigned
+   a `RUSTSEC-*` advisory identifier and be published to the database.
+4. (Optional, but recommended) Request a CVE for your vulnerability:
+   https://iwantacve.org/
+
+## Criteria
+
+RustSec is a database of security vulnerabilities. The following are
+examples of qualifying vulnerabilities:
+
+* Code Execution (i.e. RCE)
+* Memory Corruption
+* Privilege Escalation (either at OS level or inside of an app/library)
+* File Disclosure / Directory Traversal
+* Web Security (e.g. XSS, CSRF)
+* Format Injection, e.g. shell escaping, SQL injection (and also XSS)
+* Cryptography Failure (e.g. confidentiality breakage, integrity breakage, key leakage)
+* Covert Channels (e.g. Spectre, Meltdown)
+* Panics in code advertised as "panic-free" (particularly if useful for network DoS attacks)
+
+When in doubt, please open a PR.
+
+[Pull Request]: https://github.com/RustSec/advisory-db/pulls
+[TOML advisory template]: https://github.com/RustSec/advisory-db#format