update: report vulnerability via github, not email

.well-known/security.txt

@@ -0,0 +1,12 @@
+# Our security address
+Contact: mailto:[email protected]
+Contact: https://github.com/erlang/otp/security
+
+Canonical: https://www.erlang.org/.well-known/security.txt
+
+Preferred-Languages: en
+
+# Our security policy
+Policy: https://github.com/erlang/otp/blob/master/SECURITY.md
+
+Expires: 2025-10-30T00:00:00z

_config.yml

@@ -47,6 +47,7 @@ sass:
 
 include:
   - _redirects
+  - .well-known
 exclude:
   - LICENSE
   - Makefile

_data/community-links.yaml

@@ -2,7 +2,7 @@ Contributing:
   - name: Bug Report
     description: You can report bugs, improvements or new features on [the Erlang issue tracker](https://github.com/erlang/otp/issues).
   - name: Security Disclosure
-    description: Please [follow the guidelines]({{ '/news/111' | relative_url }}) in order to report the issues regarding security in Erlang/OTP, and do not create a public issue for a security issue.
+    description: Please [follow the guidelines]({{ '/security' | relative_url }}) in order to report the issues regarding security in Erlang/OTP, and do not create a public issue for a security issue.
   - name: Contributing to Erlang/OTP
     description: Go to the [Erlang issue tracker](https://github.com/erlang/otp/issues) and search for issues labelled with [_Help Wanted_](https://github.com/erlang/otp/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22). Follow the [contribution guidelines](https://github.com/erlang/otp/blob/master/CONTRIBUTING.md) to submit a contribution.
   - name: Erlang Enhancement Process

_layouts/default.html

@@ -66,6 +66,7 @@
                     <li class="nav-item"><a class="nav-link" href="{{ '/community' | relative_url }}">Community</a></li>
                     <li class="nav-item"><a class="nav-link" href="{{ '/news' | relative_url }}">News</a></li>
                     <li class="nav-item"><a class="nav-link" href="{{ '/blog' | relative_url }}">Blog</a></li>
+                    <li class="nav-item"><a class="nav-link" href="{{ '/security' | relative_url }}">Security</a></li>
                     <li class="nav-item"><a class="nav-link" href="{{ '/eep' | relative_url }}">EEP</a></li>
                     <li class="nav-item"><a class="nav-link" href="{{ '/about' | relative_url }}">About</a></li>
                 </ul>

_news/111.md

@@ -6,12 +6,14 @@ lead: "Use erlang-security [at] erlang [dot] org to report a security issue"
 tags: "Erlang, OTP, security, report, bug"
 date: "2017-03-21"
 created_at: "2017-03-21T13:12:29Z"
-updated_at: "2017-03-21T13:13:53Z"
+updated_at: "2024-10-07T13:13:53Z"
 author: "Bruce Yinhe"
 visible: "true"
 article_type_id: "3"
 ---
 
+**DEPRECATED: See [Best Practice: Reporting a Security Issue in Erlang/OTP](https://www.erlang.org/security)**
+
 Reporting a Security Issue in Erlang/OTP
 
 Please follow this document in order to report the issues regarding security in Erlang/OTP. Please do not create a public issue for a security issue.

community/workshops.md

@@ -43,3 +43,5 @@ The photograph shows Danie Schutte, Carlos Varela, Rex Page and Ulf Wiger in fro
 * [ACM SIGPLAN Erlang Workshop 2020](https://icfp20.sigplan.org/home/erlang-2020), Online
 * [ACM SIGPLAN Erlang Workshop 2021](https://icfp21.sigplan.org/home/erlang-2021), Online
 * [ACM SIGPLAN Erlang Workshop 2022](https://icfp22.sigplan.org/home/erlang-2022), Ljubljana
+* [ACM SIGPLAN Erlang Workshop 2023](https://icfp22.sigplan.org/home/erlang-2023), Seattle
+* [ACM SIGPLAN Erlang Workshop 2024](https://icfp22.sigplan.org/home/erlang-2024), Milan

security.md

@@ -0,0 +1,32 @@
+---
+layout: markdown
+---
+## Security
+
+Best Practice: Reporting a Security Issue in Erlang/OTP
+
+## Summary
+
+**Do not create a public github issue**.
+
+Please create a new [Security Advisory](https://github.com/erlang/otp/security) for security issues. 
+Alternatively send an email to erlang-security [at] erlang [dot] org.
+
+Please follow this document in order to report security vulnerabilities in Erlang/OTP. 
+
+## When should you report a security issue?
+
+The risk level is often determined by a product of the impact once exploited, and the probability of exploitation occurring. In other words, if a bug can cause great damage, but it takes highest privilege to exploit the bug, then the bug is not a high risk one. Similarly, if the bug is easily exploitable, but its impact is limited, then it is not a high risk issue either.
+
+There is not any hard and fast rule to determine if a bug is worth reporting as a security issue to [https://github.com/erlang/otp/security](https://github.com/erlang/otp/security). A general rule is that a bug which allows an unprivileged user to successfully attack the Erlang application, the Erlang runtime, or can be used as a springboard to attack other software running on the same or other machines is considered a security issue. As attacks we consider anything that affects the confidentiality, integrity and/or availability of the system.
+
+
+## What happens after the report?
+
+All security bugs in the Erlang/OTP distribution should be reported to [https://github.com/erlang/otp/security](https://github.com/erlang/otp/security). Your report will be handled by a small security team at the OTP team.
+
+Please use a descriptive title for your report. After the initial response to your report, the security team will keep you updated on the progress and decision being made towards a fix and release announcement.
+
+## Flagging Existing Issues as Security-related
+
+If you believe that an existing public issue on [https://github.com/erlang/otp/issues](https://github.com/erlang/otp/issues) is security-related, we ask that you report it via [https://github.com/erlang/otp/security](https://github.com/erlang/otp/security). The title should contain the issue ID from [https://github.com/erlang/otp/issues](https://github.com/erlang/otp/issues) (e.g., flagging security issue [#7539](https://github.com/erlang/otp/issues/7539)). Please include a short description to motivate why it should be handled according to the security policy.