documentation alignment

Author: thurka

CONTRIBUTING.md

@@ -1,11 +1,21 @@
 # Contributing to VisualVM
 
-*Copyright © 2017, 2020, Oracle Corporation and/or its affiliates.*
+## Opening issues
+
+Please let us know your ideas, missing features, or bugs found. Either [file a RFE/bug](https://github.com/oracle/visualvm/issues/new/choose) or [leave us a message](https://visualvm.github.io/feedback.html).
+
+Any information, ideas or suggestions that you provide to us either through a Bug Report or a Feature Request ([https://github.com/oracle/visualvm/issues/new/choose](https://github.com/oracle/visualvm/issues/new/choose)) or using Gitter chat or email shall be considered Feedback. If you think you've found a security
+vulnerability, do not raise a GitHub issue and follow the instructions in our [security policy](./SECURITY.md).
+
+## Contributing code
+
+For legal reasons, we cannot accept external pull requests. 
+
+## Pull request process
 
 **Pull requests are currently not being accepted for the VisualVM project.**
 
-Please let us know your ideas, missing features, or bugs found. Either [file a RFE/bug](https://github.com/oracle/visualvm/issues/new/choose) or [leave us a message](https://visualvm.github.io/feedback.html).
+## Code of conduct
 
-Any information, ideas or suggestions that you provide to us either through a Bug Report or a Feature Request ([https://github.com/oracle/visualvm/issues/new/choose](https://github.com/oracle/visualvm/issues/new/choose)) or using Gitter chat or email shall be considered Feedback.
+Oracle and its affiliates have a perpetual, royalty-free, non-exclusive, irrevocable license to use, reproduce, distribute or otherwise commercialize any Feedback that you voluntarily provide.  Oracle shall have no obligation to respond to any Feedback or to incorporate your Feedback into the VisualVM software.
 
-Oracle and its affiliates have a perpetual, royalty-free, non-exclusive, irrevocable license to use, reproduce, distribute or otherwise commercialize any Feedback that you voluntarily provide.  Oracle shall have no obligation to respond to any Feedback or to incorporate your Feedback into the VisualVM software.

LICENSE renamed to LICENSE.txt

@@ -16,16 +16,29 @@ First download or clone this repository into directory `visualvm`. There are two
 
 Then download and extract the [NetBeans Platform 14](https://github.com/oracle/visualvm/releases/download/2.1.5/nb140_platform_20220908.zip) into directory `visualvm/visualvm` (should create `visualvm/visualvm/netbeans`).
 
-## Build and run VisualVM tool
+## How to build
 
-To build VisualVM, use `ant build-zip` command in the `visualvm/visualvm` directory. To run VisualVM, use `ant run` command in the `visualvm/visualvm` directory.
+To build VisualVM, use `ant build-zip` command in the `visualvm/visualvm` directory. 
 
-## Build and run VisualVM plugins
+## How to run
+
+To run VisualVM, use `ant run` command in the `visualvm/visualvm` directory.
+
+## Build and run plugins
 
 To build or run the plugins suite, use `ant build` or `ant run` in the `visualvm/plugins` directory. This will automatically build the zip distribution of the core VisualVM tool into `visualvm/visualvm/dist/visualvm.zip` and extract it into the `visualvm/plugins/visualvm` directory. After that the build of the plugins suite continues to build each of the individual plugins. Running the plugins suite means starting VisualVM with all the plugins installed.
 
-## Contribute
+## Contributing
 
 We highly appreciate any feedback! Please let us know your ideas, missing features, or bugs found. Either [file a RFE/bug](https://github.com/oracle/visualvm/issues/new/choose) or [leave us a message](https://visualvm.github.io/feedback.html). For legal reasons, we cannot accept external pull requests. See 
 [CONTRIBUTING](https://github.com/oracle/visualvm/blob/master/CONTRIBUTING.md)
 for details.
+
+## Security
+
+Please consult the [security guide](./SECURITY.md) for our responsible security vulnerability disclosure process
+
+## License
+
+Copyright (c) 2017, 2023 Oracle and/or its affiliates.
+Released under the GNU General Public License, version 2, with the Classpath Exception.

README.md

@@ -0,0 +1,38 @@
+# Reporting security vulnerabilities
+
+Oracle values the independent security research community and believes that
+responsible disclosure of security vulnerabilities helps us ensure the security
+and privacy of all our users.
+
+Please do NOT raise a GitHub Issue to report a security vulnerability. If you
+believe you have found a security vulnerability, please submit a report to
+[[email protected]][1] preferably with a proof of concept. Please review
+some additional information on [how to report security vulnerabilities to Oracle][2].
+We encourage people who contact Oracle Security to use email encryption using
+[our encryption key][3].
+
+We ask that you do not use other channels or contact the project maintainers
+directly.
+
+Non-vulnerability related security issues including ideas for new or improved
+security features are welcome on GitHub Issues.
+
+## Security updates, alerts and bulletins
+
+Security updates will be released on a regular cadence. Many of our projects
+will typically release security fixes in conjunction with the
+Oracle Critical Patch Update program. Additional
+information, including past advisories, is available on our [security alerts][4]
+page.
+
+## Security-related information
+
+We will provide security related information such as a threat model, considerations
+for secure use, or any known security issues in our documentation. Please note
+that labs and sample code are intended to demonstrate a concept and may not be
+sufficiently hardened for production use.
+
+[1]: mailto:[email protected]
+[2]: https://www.oracle.com/corporate/security-practices/assurance/vulnerability/reporting.html
+[3]: https://www.oracle.com/security-alerts/encryptionkey.html
+[4]: https://www.oracle.com/security-alerts/