update: report vulnerab via github, not email

Author: kikofernandez

_data/community-links.yaml

@@ -2,7 +2,7 @@ Contributing:
   - name: Bug Report
     description: You can report bugs, improvements or new features on [the Erlang issue tracker](https://github.com/erlang/otp/issues).
   - name: Security Disclosure
-    description: Please [follow the guidelines]({{ '/news/111' | relative_url }}) in order to report the issues regarding security in Erlang/OTP, and do not create a public issue for a security issue.
+    description: Please [follow the guidelines]({{ '/news/172' | relative_url }}) in order to report the issues regarding security in Erlang/OTP, and do not create a public issue for a security issue.
   - name: Contributing to Erlang/OTP
     description: Go to the [Erlang issue tracker](https://github.com/erlang/otp/issues) and search for issues labelled with [_Help Wanted_](https://github.com/erlang/otp/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22). Follow the [contribution guidelines](https://github.com/erlang/otp/blob/master/CONTRIBUTING.md) to submit a contribution.
   - name: Erlang Enhancement Process

_news/111.md

@@ -6,12 +6,14 @@ lead: "Use erlang-security [at] erlang [dot] org to report a security issue"
 tags: "Erlang, OTP, security, report, bug"
 date: "2017-03-21"
 created_at: "2017-03-21T13:12:29Z"
-updated_at: "2017-03-21T13:13:53Z"
+updated_at: "2024-10-07T13:13:53Z"
 author: "Bruce Yinhe"
 visible: "true"
 article_type_id: "3"
 ---
 
+**DEPRECATED: See [Best Practice: Reporting a Security Issue in Erlang/OTP](https://www.erlang.org/news/172)**
+
 Reporting a Security Issue in Erlang/OTP
 
 Please follow this document in order to report the issues regarding security in Erlang/OTP. Please do not create a public issue for a security issue.

_news/172.md

@@ -0,0 +1,51 @@
+---
+layout: post
+id: 172
+title: "Best Practice: Reporting a Security Issue in Erlang/OTP"
+lead: "Use erlang-security [at] erlang [dot] org to report a security issue"
+tags: "Erlang, OTP, security, report, bug"
+date: "2024-10-07"
+author: "Kiko Fernandez-Reyes"
+---
+
+Best Practice: Reporting a Security Issue in Erlang/OTP
+
+**TLDR:**
+Please **do not create a public issue** for a security issue, use
+instead https://github.com/erlang/otp/security.
+
+Please follow this document in order to report security vulnerabilities in
+Erlang/OTP. 
+
+## When should you report a security issue?
+
+The risk level is often determined by a product of the impact once exploited,
+and the probability of exploitation occurring. In other words, if a bug can
+cause great damage, but it takes highest privilege to exploit the bug, then the
+bug is not a high risk one. Similarly, if the bug is easily exploitable, but its
+impact is limited, then it is not a high risk issue either.
+
+There is not any hard and fast rule to determine if a bug is worth reporting as
+a security issue to https://github.com/erlang/otp/security. A general rule is
+that an attack by someone that has no access to the Erlang application or its
+system can affect the confidentiality, integrity and availability.
+
+## What happens after the report?
+
+All security bugs in the Erlang/OTP distribution should be reported to
+https://github.com/erlang/otp/security. Your report will be handled by a
+small security team at the OTP team.
+
+Please use a descriptive email title for your report. After the initial response
+to your report, the security team will keep you updated on the progress and
+decision being made towards a fix and release announcement.
+
+## Flagging Existing Issues as Security-related
+
+If you believe that an existing public issue on
+[https://github.com/erlang/otp/issues](https://github.com/erlang/otp/issues) is
+security-related, we ask that you send an email to **erlang-security [at] erlang
+[dot] org**. The email title should contain the issue ID on
+[https://github.com/erlang/otp/issues](https://github.com/erlang/otp/issues)
+(e.g. Flagging security issue ERL-001). Please include a short description to
+motivate why it should be handled according to the security policy.