Merge pull request #1661 from lrytz/security-policy

Add a security policy under /security
scala · Jul 12, 2024 · 8930d88 · 8930d88
2 parents fd33ac6 + f4c2b46
commit 8930d88
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 0 deletions.
diff --git a/_data/footer.yml b/_data/footer.yml
@@ -49,6 +49,8 @@
       url: "/conduct.html"
     - title: License
       url: "/license/"
+    - title: Security Policy
+      url: "/security/"
 - title: Social
   class: social
   links:

diff --git a/community/index.md b/community/index.md
@@ -140,6 +140,10 @@ Scala 3 compiler and standard library additions:
 Don't forget to search past issues first to see if the issue has
 already been reported.
 
+## Security
+
+To receive security announcements or contact us about security issues, see our [security policy](/security/).
+
 ## User Groups
 
 Most local Scala user groups are listed on [Meetup](https://www.meetup.com/topics/scala/).

diff --git a/security.md b/security.md
@@ -0,0 +1,26 @@
+---
+title: Scala Security Policy
+layout: inner-page-no-masthead
+permalink: /security/
+includeTOC: false
+---
+
+## Receiving Security Announcements
+
+Security announcements related to Scala are published to the ["Security Announcements" channel](https://users.scala-lang.org/c/security) on our discourse forum.
+
+Messages to this channel can only be posted by administrators, so it is very low traffic.
+To set up email notifications for new security announcements, read [this post](https://users.scala-lang.org/t/about-the-security-announcements-category).
+
+## Reporting Vulnerabilities
+
+We strongly encourage reporting security issues in Scala to us privately before disclosing them in public.
+
+The email address for security related communication is `security@scala-lang.org`.
+Messages are delivered to the Scala Security Team, which includes people from EPFL, the Scala Center, VirtusLab and Lightbend.
+
+We strive to acknowledge reports within 2 business days.
+In case you don't receive a reply within a few days and would like to escalate, our advice is to ask for a contact person in a forum hosted by the Scala organization:
+  - [Meta category on Discourse](https://users.scala-lang.org/c/meta)
+  - [`#admin` channel on Discord](https://discord.com/channels/632150470000902164/632628729029328947) ([invite link](https://discord.com/invite/scala) for joining)
+