Add a security policy under /security

lrytz · lrytz · commit e3ca72ea6080 · 2024-06-19T11:16:43.000+02:00
diff --git a/_data/footer.yml b/_data/footer.yml
@@ -47,6 +47,8 @@
       url: "/conduct.html"
     - title: License
       url: "/license/"
+    - title: Security Policy
+      url: "/security/"
 - title: Social
   class: social
   links:
diff --git a/community/index.md b/community/index.md
@@ -31,6 +31,8 @@ The Scala Center focuses on education (especially online courses),
 documentation, open source community outreach, and tooling.  Community
 participation in all of these efforts is strongly encouraged.
 
+To receive security announcements or contact us about security issues, see our [security policy](/security/).
+
 ## Forums
 
 The Scala Center operates the following Discourse forums:
diff --git a/security.md b/security.md
@@ -0,0 +1,26 @@
+---
+title: Scala Security Policy
+layout: inner-page-no-masthead
+permalink: /security/
+includeTOC: false
+---
+
+## Receiving Security Announcements
+
+Security announcements related to Scala are published to the ["Security Announcements" channel](https://users.scala-lang.org/c/security) on our discourse forum.
+
+Messages to this channel can only be posted by administrators, so it is very low traffic.
+To set up email notifications for new security announcements, read [this post](https://users.scala-lang.org/t/about-the-security-announcements-category).
+
+## Reporting Vulnerabilities
+
+We strongly encourage reporting security issues in Scala to our private mailing list before disclosing them in public.
+
+The email address for security related communication is `security@scala-lang.org`.
+Messages are delivered to the Scala Security Team, which includes people from EPFL, the Scala Center, VirtusLab and Lightbend.
+
+We strive to acknowledge reports within 2 business days.
+In case you don't receive a reply within a few days and would like to escalate, our advice is to ask for a contact person in a forum hosted by the Scala organization:
+  - [Meta category on Discourse](https://users.scala-lang.org/c/meta)
+  - [`#admin` channel on Discord](https://discord.com/channels/632150470000902164/632628729029328947) ([invite link](https://discord.com/invite/scala) for joining)
+
