all: add licensing boilerplate and update README
Change-Id: I79bcdc1d868fccbb778ccdef23a4ad7389cf5bfe
Reviewed-on: https://team-review.git.corp.google.com/c/golang/vulndb/+/1054183
Reviewed-by: Filippo Valsorda <valsorda@google.com>
diff --git a/AUTHORS b/AUTHORS
new file mode 100644
index 0000000..2b00ddb
--- /dev/null
+++ b/AUTHORS
@@ -0,0 +1,3 @@
+# This source code refers to The Go Authors for copyright purposes.
+# The master list of authors is in the main Go distribution,
+# visible at https://tip.golang.org/AUTHORS.
diff --git a/CONTRIBUTORS b/CONTRIBUTORS
new file mode 100644
index 0000000..1fbd3e9
--- /dev/null
+++ b/CONTRIBUTORS
@@ -0,0 +1,3 @@
+# This source code was written by the Go contributors.
+# The master list of contributors is in the main Go distribution,
+# visible at https://tip.golang.org/CONTRIBUTORS.
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..6a66aea
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,27 @@
+Copyright (c) 2009 The Go Authors. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+ * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+ * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/PATENTS b/PATENTS
new file mode 100644
index 0000000..7330990
--- /dev/null
+++ b/PATENTS
@@ -0,0 +1,22 @@
+Additional IP Rights Grant (Patents)
+
+"This implementation" means the copyrightable works distributed by
+Google as part of the Go project.
+
+Google hereby grants to You a perpetual, worldwide, non-exclusive,
+no-charge, royalty-free, irrevocable (except as stated in this section)
+patent license to make, have made, use, offer to sell, sell, import,
+transfer and otherwise run, modify and propagate the contents of this
+implementation of Go, where such license applies only to those patent
+claims, both currently owned or controlled by Google and acquired in
+the future, licensable by Google that are necessarily infringed by this
+implementation of Go. This grant does not include claims that would be
+infringed only as a consequence of further modification of this
+implementation. If you or your agent or exclusive licensee institute or
+order or agree to the institution of patent litigation against any
+entity (including a cross-claim or counterclaim in a lawsuit) alleging
+that this implementation of Go or any code incorporated within this
+implementation of Go constitutes direct or contributory patent
+infringement, or inducement of patent infringement, then any patent
+rights granted to you under this License for this implementation of Go
+shall terminate as of the date such litigation is filed.
diff --git a/README.md b/README.md
index 09b3064..cc21e52 100644
--- a/README.md
+++ b/README.md
@@ -1,12 +1,39 @@
-This repository contains a handful of prototypes for the Go vulnerability database,
-as well as a initial set of vulnerability reports. Some of these packages can probably
-be coalesced, but for now are easier to work on in a more segmented fashion.
+# The Go Vulnerability Database `golang.org/x/vulndb`
-* `reports` contains TOML security reports, the format is described in `format.md`
+This repository is a prototype of the Go Vulnerability Database.
+Read [the Draft Design](https://golang.org/design/draft-vulndb).
+
+Neither the code, nor the data, nor the existence of this repository is to be
+considered stable until an approved proposal.
+
+**Important**: vulnerability entries in this repository are represented in an
+internal, unstable format that can and will change without notice. The database
+will also be available in an interoperable, stable JSON format soon.
+
+## Packages
+
+Some of these packages can probably be coalesced, but for now are easier to work
+on in a more segmented fashion.
+
* `report` provides a package for parsing and linting TOML reports
-* `osv` provides a package for generating OSV-style JSON vulnerability entries from a `report.Report`
-* `client` contains a client for accesing HTTP/fs based vulnerability databases, as well as a minimal caching implementation
+* `osv` provides a package for generating OSV-style JSON vulnerability entries
+ from a `report.Report`
+* `client` contains a client for accessing HTTP/fs based vulnerability
+ databases, as well as a minimal caching implementation
* `cmd/gendb` provides a tool for converting TOML reports into JSON database
* `cmd/genhtml` provides a tool for converting TOML reports into a HTML website
* `cmd/linter` provides a tool for linting individual reports
-* `cmd/report2cve` provides a tool for converting TOML reports into JSON CVEs
\ No newline at end of file
+* `cmd/report2cve` provides a tool for converting TOML reports into JSON CVEs
+
+## Contributing
+
+To report a new *public* vulnerability, [open an
+issue](https://github.com/golang/vulndb/issues/new) or send a PR. Please read
+the [Contribution Guidelines](https://golang.org/doc/contribute.html) before
+sending patches.
+
+Unless otherwise noted, the Go source files are distributed under
+the BSD-style license found in the LICENSE file.
+
+The database contents in `reports/` are distributed under the terms of the
+[CC-BY 4.0](https://creativecommons.org/licenses/by/4.0/) license.
