diff --git a/security.md b/security.md index 8c55c2052..3f91401b8 100644 --- a/security.md +++ b/security.md @@ -12,11 +12,23 @@ Security announcements related to Scala are published to the ["Security Announce Messages to this channel can only be posted by administrators, so it is very low traffic. To set up email notifications for new security announcements, read [this post](https://users.scala-lang.org/t/about-the-security-announcements-category). +## Releases Integrity + +To ensure the integrity of all the releases, our organization uses [PGP](https://gnupg.org/) keys for cryptographic signing. +We provide below an **exhaustive** list of all the keys +used for signing the artifacts under the `org.scala-lang` namespace on [Maven Central](https://central.sonatype.com/namespace/org.scala-lang) + +| Fingerprint | Algorithm | Public Key | +|:-------------------------------------------------:|:---------:|:-----------------------------------------------------------------------------------------------------------------------:| +| 86DA 41A5 E169 9C9C EBE9 64A8 A905 2B1B 6D92 E560 | RSA-4096 | [Download Public Key](https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x86da41a5e1699c9cebe964a8a9052b1b6d92e560) | +| ACF3 9CCD ED38 E2C6 F089 8BF2 8F7F 6C04 5196 7B84 | RSA-4096 | [Download Public Key](https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xacf39ccded38e2c6f0898bf28f7f6c0451967b84) | +| 2A5E 8B33 8438 CAC7 033F 9D8F B8A0 45C0 A6EC 398E | RSA-4096 | [Download Public Key](https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x2a5e8b338438cac7033f9d8fb8a045c0a6ec398e) | + ## Reporting Vulnerabilities We strongly encourage reporting security issues in Scala to us privately before disclosing them in public. -The email address for security related communication is `security@scala-lang.org`. +The email address for security related communication is [`security@scala-lang.org`](mailto:security@scala-lang.org). Messages are delivered to the Scala Security Team, which includes people from EPFL, the Scala Center, VirtusLab and Lightbend. We strive to acknowledge reports within 2 business days.