What is the role of a security policy in GitHub Advanced Security, and how does it guide responders?

Security policy in GitHub Advanced Security acts as the playbook for how to respond to vulnerabilities and alerts. It outlines who is responsible, how advisories are triaged, what escalation paths to use, what communications to publish, and which incident response workflows to follow. By providing standardized runbooks for common situations—such as discovering a vulnerability in a dependency, handling zero-day alerts, validating patches, and disclosing findings—a policy ensures responders act consistently and quickly. It also creates an auditable trail of decisions and actions, which is crucial for post-incident review and compliance. Other controls like branch protection rules, encryption requirements for secrets, or automated code formatting address different aspects of security or code quality and do not govern how responders should handle advisories and incidents.