Add a Security page (#293)

Fixes: #293
haskell-infra · Jun 11, 2024 · 8024fff · 8024fff
1 parent 222102f
commit 8024fff
Show file tree

Hide file tree

Showing 2 changed files with 79 additions and 0 deletions.
diff --git a/site/security.markdown b/site/security.markdown
@@ -0,0 +1,78 @@
+---
+title: Security
+page: security
+isSecurity: true
+---
+
+# Security
+
+## Reporting security issues
+
+The Haskell [**security advisory database**][advisory-db] documents
+known issues in Haskell libraries and open source tools.  Anyone can
+report **historical or low-impact issues** via the [public
+submission process].
+
+[advisory-db]: https://github.com/haskell/security-advisories
+[public submission process]: https://github.com/haskell/security-advisories/blob/main/CONTRIBUTING.md
+
+**High-impact vulnerabilities** should be reported privately to
+[[email protected]](mailto:[email protected])
+(we do not use PGP).  Alternatively, high-impact vulnerabilities can
+be reported via the CERT/CC [VINCE] system.  Use "Haskell
+Programming Language" as the vendor name.
+
+[VINCE]: https://kb.cert.org/vince/
+
+The Security Response Team currently coordinates security response
+under **embargo for high impact issues only**.  Factors that
+influence whether or not we will deal with an issue under embargo
+include:
+
+- How severe is the vulnerability?
+- How widely used is the library or tool in which the issue occurs?
+- Does the issue also affect other ecosystems, or is there already a
+  security response underway?  (We will not break someone else's
+  embargo.)
+
+For example, a high-severity vulnerability affecting the GHC
+toolchain or a popular library would likely warrant an embargo.  If
+you are unsure, please contact the Security Response Team and we
+will help assess the impact.
+
+
+## Haskell Security Response Team
+
+The Haskell Security Response Team (SRT) coordinates security
+response for high-impact vulnerabilities, and maintains the advisory
+database and associated tooling.
+
+The SRT is currently composed of 5 active members:
+
+* **Casey Mattingly**
+* **Fraser Tweedale**
+* **Gautier Di Folco**
+* **Mihai Maruseac**
+* **Tristan de Cacqueray**
+
+The SRT is an initiative of the [Haskell Foundation] pursuant to
+[Tech Proposal #37][hf-tp-37].
+
+[Haskell Foundation]: https://haskell.foundation/
+[hf-tp-37]: https://github.com/haskellfoundation/tech-proposals/blob/main/proposals/accepted/037-advisory-db.md
+
+## Security Guides
+
+The SRT publishes security guides for Haskell programmers and
+project maintainers.  Guides will be added or updated over time.
+
+*  [How to secure GitHub repositories](https://github.com/haskell/security-advisories/blob/main/guides/github.md)
+
+## SRT Reports
+
+The SRT reports quarterly on our completed and ongoing work, and
+future plans.
+
+* [2024 Q1](https://github.com/haskell/security-advisories/blob/main/reports/2024-04-08-Q1-report.md)
+* [2023 Q3 & Q4](https://github.com/haskell/security-advisories/blob/main/reports/2024-01-10-half-year-report.md)
+* [2023 Q2](https://github.com/haskell/security-advisories/blob/main/reports/2023-07-10-ann-q2-report.md)
diff --git a/site/templates/nav.html b/site/templates/nav.html
@@ -13,6 +13,7 @@
             <li><a href="https://play.haskell.org">Playground</a></li>
             <li $if(isCommunity)$     class="active" $endif$ ><a href="/community/">Community</a></li>
             <li $if(isDocumentation)$ class="active" $endif$ ><a href="/documentation/">Documentation</a></li>
+            <li $if(isSecurity)$      class="active" $endif$ ><a href="/security/">Security</a></li>
             <li $if(isDonations)$     class="active" $endif$ ><a href="/donations/">Donate</a></li>
          </ul>
       </div>