docs/aemfvp-a: add guidelines for vulnerability reporting

Signed-off-by: Jagadeesh Ujja <jagadeesh.ujja@arm.com>
Change-Id: I570fad8f54dd8da7d1e4aaf92f658ea7c60a9e1d

docs/aemfvp-a/user-guide.rst

@@ -281,6 +281,12 @@ distribution images. The installable distribution images are fetched from the
 corresponding repository. The GRUB, Linux, and Rootfs are part of the installable
 distribution images.
 
+Report security vulnerabilities
+===============================
+
+For reporting security vulnerabilities, please refer `Vulnerability reporting`_
+page.
+
 Release Tags
 ============
 
@@ -314,3 +320,4 @@ validated in each release is listed in `change log`_.
 .. _GRUB: https://git.savannah.gnu.org/git/grub
 .. _Linux: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
 .. _busybox: https://github.com/mirror/busybox
+.. _Vulnerability reporting: docs/aemfvp-a/vulnerability-reporting.rst

docs/aemfvp-a/vulnerability-reporting.rst

+*************************************
+Guidelines to Vulnerability reporting
+*************************************
+
+- Architecture Envelope Model(AEMFVP-A) platform software stack is a
+  collection of open source software repositories. If you think you have
+  found a security vulnerability in a specific open source project which
+  is part of the software stack, it is recommended to follow the vulnerability
+  reporting guidelines specified by the respective project.
+
+- If you think you have found a security vulnerability as part of the
+  Architecture Envelope Model(AEMFVP-A) platform software stack and does
+  not fall into any specific open source project, then please report
+  by email at arm-security@arm.com specifying the project name as
+  "Architecture Envelope Model(AEMFVP-A) Platform Software".
+  More details can be found at `Arm Developer website`_.
+
+--------------
+
+*Copyright (c) 2021, Arm Limited. All rights reserved.*
+
+.. _Arm Developer website: https://developer.arm.com/support/arm-security-updates/report-security-vulnerabilities