From cdcad79bce752079bdd17971c3d2428b5a105a8e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Espaze?= Date: Sun, 9 Jun 2024 12:45:27 +0200 Subject: [PATCH] Add a Security page (#293) Fixes: https://github.com/haskell-infra/www.haskell.org/issues/293 --- site/security.markdown | 78 +++++++++++++++++++++++++++++++++++++++++ site/templates/nav.html | 1 + 2 files changed, 79 insertions(+) create mode 100644 site/security.markdown diff --git a/site/security.markdown b/site/security.markdown new file mode 100644 index 0000000..9f49842 --- /dev/null +++ b/site/security.markdown @@ -0,0 +1,78 @@ +--- +title: Security +page: security +isSecurity: true +--- + +# Security + +## Reporting security issues + +The Haskell [**security advisory database**][advisory-db] documents +known issues in Haskell libraries and open source tools. Anyone can +report **historical or low-impact issues** via the [public +submission process]. + +[advisory-db]: https://github.com/haskell/security-advisories +[public submission process]: https://github.com/haskell/security-advisories/blob/main/CONTRIBUTING.md + +**High-impact vulnerabilities** should be reported privately to +[security-advisories@haskell.org](mailto:security-advisories@haskell.org) +(we do not use PGP). Alternatively, high-impact vulnerabilities can +be reported via the CERT/CC [VINCE] system. Use "Haskell +Programming Language" as the vendor name. + +[VINCE]: https://kb.cert.org/vince/ + +The Security Response Team currently coordinates security response +under **embargo for high impact issues only**. Factors that +influence whether or not we will deal with an issue under embargo +include: + +- How severe is the vulnerability? +- How widely used is the library or tool in which the issue occurs? +- Does the issue also affect other ecosystems, or is there already a + security response underway? (We will not break someone else's + embargo.) + +For example, a high-severity vulnerability affecting the GHC +toolchain or a popular library would likely warrant an embargo. If +you are unsure, please contact the Security Response Team and we +will help assess the impact. + + +## Haskell Security Response Team + +The Haskell Security Response Team (SRT) coordinates security +response for high-impact vulnerabilities, and maintains the advisory +database and associated tooling. + +The SRT is currently composed of 5 active members: + +* **Casey Mattingly** +* **Fraser Tweedale** +* **Gautier Di Folco** +* **Mihai Maruseac** +* **Tristan de Cacqueray** + +The SRT is an initiative of the [Haskell Foundation] pursuant to +[Tech Proposal #37][hf-tp-37]. + +[Haskell Foundation]: https://haskell.foundation/ +[hf-tp-37]: https://github.com/haskellfoundation/tech-proposals/blob/main/proposals/accepted/037-advisory-db.md + +## Security Guides + +The SRT publishes security guides for Haskell programmers and +project maintainers. Guides will be added or updated over time. + +* [How to secure GitHub repositories](https://github.com/haskell/security-advisories/blob/main/guides/github.md) + +## SRT Reports + +The SRT reports quarterly on our completed and ongoing work, and +future plans. + +* [2024 Q1](https://github.com/haskell/security-advisories/blob/main/reports/2024-04-08-Q1-report.md) +* [2023 Q3 & Q4](https://github.com/haskell/security-advisories/blob/main/reports/2024-01-10-half-year-report.md) +* [2023 Q2](https://github.com/haskell/security-advisories/blob/main/reports/2023-07-10-ann-q2-report.md) diff --git a/site/templates/nav.html b/site/templates/nav.html index 6904848..a176076 100644 --- a/site/templates/nav.html +++ b/site/templates/nav.html @@ -13,6 +13,7 @@
  • Playground
  • Community
  • Documentation
    • +
  • Security
  • Donate