Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 6 additions & 3 deletions security.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,14 +5,14 @@ permalink: /security/
includeTOC: false
---

## Receiving Security Announcements
## Receiving security announcements

Security announcements related to Scala are published to the ["Security Announcements" channel](https://users.scala-lang.org/c/security) on our discourse forum.

Messages to this channel can only be posted by administrators, so it is very low traffic.
To set up email notifications for new security announcements, read [this post](https://users.scala-lang.org/t/about-the-security-announcements-category).

## Releases Integrity
## Releases integrity

To ensure the integrity of all the releases, our organization uses [PGP](https://gnupg.org/) keys for cryptographic signing.
We provide below an **exhaustive** list of all the keys
Expand All @@ -24,7 +24,7 @@ used for signing the artifacts under the `org.scala-lang` namespace on [Maven Ce
| ACF3 9CCD ED38 E2C6 F089 8BF2 8F7F 6C04 5196 7B84 | RSA-4096 | [Download Public Key](https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xacf39ccded38e2c6f0898bf28f7f6c0451967b84) |
| 2A5E 8B33 8438 CAC7 033F 9D8F B8A0 45C0 A6EC 398E | RSA-4096 | [Download Public Key](https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x2a5e8b338438cac7033f9d8fb8a045c0a6ec398e) |

## Reporting Vulnerabilities
## Reporting vulnerabilities

We strongly encourage reporting security issues in Scala to us privately before disclosing them in public.

Expand All @@ -36,3 +36,6 @@ In case you don't receive a reply within a few days and would like to escalate,
- [Meta category on Discourse](https://users.scala-lang.org/c/meta)
- [`#admin` channel on Discord](https://discord.com/channels/632150470000902164/632628729029328947) ([invite link](https://discord.com/invite/scala) for joining)

## Security guidance

- [Deserialization Security and Gadget Chains](https://docs.scala-lang.org/overviews/core/deserialization-security.html): how Java deserialization gadget chains work, examples involving the Scala standard library, and how to protect your applications.