[EDI] Adding a security policy to your repository (#59264)

sophietheking · Copilot · web-flow · commit 7809435a83dd · 2026-01-23T15:06:40.000Z
Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;
diff --git a/content/code-security/how-tos/report-and-fix-vulnerabilities/configure-vulnerability-reporting/adding-a-security-policy-to-your-repository.md b/content/code-security/how-tos/report-and-fix-vulnerabilities/configure-vulnerability-reporting/adding-a-security-policy-to-your-repository.md
@@ -20,29 +20,6 @@ topics:
 shortTitle: Add a security policy
 ---
 
-## About security policies
-
-To give people instructions for reporting security vulnerabilities in your project, you can add a `SECURITY.md` file to your repository's root, `docs`, or `.github` folder. Adding this file to this part(s) of your repository automatically creates a row with a description where people can review it. When someone creates an issue in your repository, they will see a link to your project's security policy.
-
-You can create a default security policy for your organization or personal account. For more information, see [AUTOTITLE](/communities/setting-up-your-project-for-healthy-contributions/creating-a-default-community-health-file).
-
-> [!TIP]
-> To help people find your security policy, you can link to your `SECURITY.md` file from other places in your repository, such as your `README` file. For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-readmes).
-
-{% ifversion fpt or ghec %}
-After someone reports a security vulnerability in your project, you can use {% data variables.product.prodname_security_advisories %} to disclose, fix, and publish information about the vulnerability. For more information about the process of reporting and disclosing vulnerabilities in {% data variables.product.prodname_dotcom %}, see [AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/about-coordinated-disclosure-of-security-vulnerabilities#about-reporting-and-disclosing-vulnerabilities-in-projects-on-github). For more information about repository security advisories, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories).
-
-{% data reusables.repositories.github-security-lab %}
-{% endif %}
-{% ifversion ghes %}
-<!-- alternative to the content about GitHub Security Advisories in the dotcom article -->
-By making security reporting instructions clearly available, you make it easy for your users to report any security vulnerabilities they find in your repository using your preferred communication channel.
-{% endif %}
-
-For an example of a real `SECURITY.md` file, see [https://github.com/electron/electron/blob/main/SECURITY.md](https://github.com/electron/electron/blob/main/SECURITY.md).
-
-## Adding a security policy to your repository
-
 {% data reusables.repositories.navigate-to-repo %}
 {% data reusables.repositories.sidebar-security %}
 1. In the left sidebar, under "Reporting", click **{% octicon "law" aria-hidden="true" aria-label="law" %} Policy**.
@@ -55,6 +32,7 @@ For an example of a real `SECURITY.md` file, see [https://github.com/electron/el
 
 ## Further reading
 
+* [AUTOTITLE](/communities/setting-up-your-project-for-healthy-contributions/creating-a-default-community-health-file)
 * [AUTOTITLE](/code-security/getting-started/securing-your-repository)
 * [AUTOTITLE](/communities/setting-up-your-project-for-healthy-contributions){% ifversion fpt or ghec %}
 * [{% data variables.product.prodname_security %}]({% data variables.product.prodname_security_link %}){% endif %}
diff --git a/content/communities/setting-up-your-project-for-healthy-contributions/creating-a-default-community-health-file.md b/content/communities/setting-up-your-project-for-healthy-contributions/creating-a-default-community-health-file.md
@@ -26,7 +26,7 @@ You can add default community health files to a **public**{% ifversion ghec or g
 
 If no corresponding file is found in the current repository, {% data variables.product.github %} will use the default file from the `.github` repository, following the same order of precedence.
 
-**Note:** The `.github` repository must be **public**{% ifversion ghec or ghes %} or **internal**{% endif %} for templates to be applied organization-wide. Private `.github` repositories are not supported.
+>[!NOTE] The `.github` repository must be **public**{% ifversion ghec or ghes %} or **internal**{% endif %} for templates to be applied organization-wide. Private `.github` repositories are not supported.
 
 For example, anyone who creates an issue or pull request in a repository that does not have its own `CONTRIBUTING.md` file will see a link to the default `CONTRIBUTING.md` from the `.github` repository. However, if a repository has any files in its own `.github/ISSUE_TEMPLATE` folder, such as issue templates or a `_config.yml` file, none of the contents of the default `.github/ISSUE_TEMPLATE` folder will be used. This allows repository maintainers to override the default files with specific templates or content on per-repository basis.
 
@@ -38,6 +38,19 @@ As a repository maintainer, you can use the community standards checklist to see
 
 {% endif %}
 
+## About security policies
+
+{% ifversion fpt or ghec %}
+After someone reports a security vulnerability in your project, you can use {% data variables.product.prodname_security_advisories %} to disclose, fix, and publish information about the vulnerability. For more information about the process of reporting and disclosing vulnerabilities in {% data variables.product.prodname_dotcom %}, see [AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/about-coordinated-disclosure-of-security-vulnerabilities#about-reporting-and-disclosing-vulnerabilities-in-projects-on-github). For more information about repository security advisories, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories).
+{% endif %}
+
+{% ifversion ghes %}
+<!-- alternative to the content about GitHub Security Advisories in the dotcom article -->
+By making security reporting instructions clearly available, you make it easy for your users to report any security vulnerabilities they find in your repository using your preferred communication channel.
+{% endif %}
+
+For an example of a real `SECURITY.md` file, see [https://github.com/electron/electron/blob/main/SECURITY.md](https://github.com/electron/electron/blob/main/SECURITY.md).
+
 ## Supported file types
 
 You can create defaults in your organization or personal account for the following community health files:
