Added security.txt

content/p/vulnerability-disclosure-policy.md

@@ -0,0 +1,63 @@
+---
+title: "Vulnerability disclosure policy"
+type: p
+---
+
+Do you think you've found a security flaw in AlmaLinux OS or one of our related projects? Read below for how to responsibly report it!
+
+## Reporting a Vulnerability
+
+> - [Our security.txt file](/.well-known/security.txt).
+
+Taking the time to report a security vulnerability to us is greatly appreciated, and we will use every resource at our disposal to respect your time during the reporting process. When reporting an issue, please provide **as much information** as possible, but at least:
+
+- The project and version (even better if you can identify the specific commit) where you identified the vulnerability
+- A detailed description of the steps to reproduce 
+- If appropriate, please include a proof of concept (plaintext only; no binaries)
+- Please also include your recommended remediation(s), if any, or any other concerns.
+
+> #### Do Not Send:
+> Sensitive or personal information.
+
+Our maintainers will attempt to respond to and confirm your report within 2-3 days, but if you believe your report to be *critical* to user safety and security, please note as such in the subject. We are fortunate enough to have hundreds of thousands of systems relying on the expertise of the AlmaLinux OS Team, and we take security very seriously.
+
+## Example Report
+
+```text
+- **Title**: Flaw in mouse_pretend_package prevents cat_catch_mouse from starting
+
+- **Environment** (list all tested or believed to be impacted): AlmaLinux 8, Platform: X86_64, OS Version: 8.5
+
+- **Description**:
+    I am unable to start cat_catch_mouse. When I try to start, I see the following error:
+
+    [root@localhost ~]# systemctl status cat_catch_mouse
+    Month 08 00:18:43 localhost.localdomain systemd[1]: cat_catch_mouse.service: Failed with result 'exit-code'.
+    Month 08 00:18:43 localhost.localdomain systemd[1]: cat_catch_mouse.service: Service RestartSec=100ms expired, scheduling restart.
+    Month 08 00:18:43 localhost.localdomain systemd[1]: cat_catch_mouse.service: Start request repeated too quickly.
+    Month 08 00:18:43 localhost.localdomain systemd[1]: Failed to start CatCatchMouse.
+
+- **Steps to Reproduce**:
+    < insert all the steps that are necessary to reproduce the error. For example: >
+
+    1. Install AlmaLinux 8.4 and update to 8.5.
+    2. Run `sudo dnf install mouse_pretend_package`.
+    3. Run `sudo systemctl enable --now cat_catch_mouse`.
+    4. Try running `./alma_cat --list-all-mice`
+
+- **Expected Result**: We catch all the mice and see an output of "below is a list of all mice that have been caught".
+
+- **Actual Result**: `cat_catch_mouse.service` stops immediately with an exit code error.
+
+- **Severity**: Urgent
+```
+
+## Where to Report
+
+- For any issue that requires a coordinated release, send your report to [security@almalinux.org](mailto:security@almalinux.org) directly so we can coordinate a responsible patch and release.
+
+- For issues that are directly related to the AlmaLinux operating system itself and do not require coordinated disclosure, please send your report to [bugs.almalinux.org](https://bugs.almalinux.org), this ensures that your report is received by the right people.
+
+- For **non OS-related** reports (.e.g Elevate, almalinux.org website, etc), open an issue on the GitHub repo for that part of the project. 
+
+> Feel free to stay connected via our [security channel](https://chat.almalinux.org/almalinux/channels/security) on Mattermost, or join the [Testing & QA channel](https://chat.almalinux.org/almalinux/channels/testing) to get involved in further testing activities.

layouts/partials/common/footer.html

@@ -19,6 +19,7 @@ <h5>Resources</h5>
                     <li><a href="{{ "/get-almalinux" | relLangURL }}">{{ i18n "Downloads" }}</a></li>
                     <li><a href="{{ "/members" | relLangURL }}">{{ i18n "Membership" }}</a></li>
                     <li><a href="{{ "/elevate" | relLangURL }}">ELevate</a></li>
+                    <li><a href="/.well-known/security.txt">security.txt</a></li>
                     <li><a href="https://lists.almalinux.org/">{{ i18n "Mailing Lists" }}</a></li>
                     <li><a href="https://status.almalinux.org/">{{ i18n "Status Page" }}</a></li>
                     <li><a href="https://openqa.almalinux.org/">{{ i18n "openQA" }}</a></li>

static/.well-known/security.txt

@@ -0,0 +1,22 @@
+# This file provides security vulnerability reporting information for the AlmaLinux OS project.
+# Please follow the criteria below to ensure your report reaches the correct team.
+Preferred-Languages: en
+
+# Use this contact for vulnerabilities that require coordinated disclosure, no matter in which part of the project they are found. 
+Contact: security@almalinux.org
+
+# Use this contact if the issue is directly related to the AlmaLinux operating system itself but does not require coordinated disclosure.
+Contact: https://bugs.almalinux.org
+
+# For any other flaws, please report them in the repository that is associated with the part of the project in question.
+
+# Before submitting a report, please read our vulnerability disclosure policy.
+# This will help you understand the process and ensure your report is handled appropriately.
+Policy: https://almalinux.org/p/vulnerability-disclosure-policy/
+
+
+Encryption: https://almalinux.org/files/security-pgp-key.txt
+Expires: 2025-05-03T12:00:00.000Z
+
+
+# Important: Do not send sensitive data or vulnerability reports publicly.