Copy SECURITY.md from OpenEXR or one of the other ASWF projects, and delete whatever doesn't apply to your project. This cover several of the OpenSSF badge requirements, like the policy, vulnerability reporting, and expectations.
Other related steps to take:
Set up security@opentimelineio.org that forwards to your technical steering committee. The LF can help configure this.
On the "Code security & analysis" page of your GitHub repo settings, enable private vulnerability reporting.
Copy SECURITY.md from OpenEXR or one of the other ASWF projects, and delete whatever doesn't apply to your project. This cover several of the OpenSSF badge requirements, like the policy, vulnerability reporting, and expectations.
Other related steps to take: