Add a crates.io-specific security page

carols10cents · carols10cents · commit 272dd9b16cea · 2024-06-04T14:31:19.000-04:00
diff --git a/app/components/footer.hbs b/app/components/footer.hbs
@@ -23,7 +23,7 @@
       <h1>Policies</h1>
       <ul role="list">
         <li><LinkTo @route="policies">Usage Policy</LinkTo></li>
-        <li><a href="https://www.rust-lang.org/policies/security">Security</a></li>
+        <li><LinkTo @route="security">Security</LinkTo></li>
         <li><a href="https://foundation.rust-lang.org/policies/privacy-policy/">Privacy Policy</a></li>
         <li><a href="https://www.rust-lang.org/policies/code-of-conduct">Code of Conduct</a></li>
         <li><LinkTo @route="data-access">Data Access</LinkTo></li>
diff --git a/app/router.js b/app/router.js
@@ -52,6 +52,7 @@ Router.map(function () {
   this.route('category-slugs', { path: 'category_slugs' });
   this.route('team', { path: '/teams/:team_id' });
   this.route('policies');
+  this.route('security');
   this.route('data-access');
   this.route('confirm', { path: '/confirm/:email_token' });
   this.route('accept-invite', { path: '/accept-invite/:token' });
diff --git a/app/templates/policies.hbs b/app/templates/policies.hbs
@@ -102,17 +102,7 @@
 
   <h2 id='security'>Security</h2>
 
-  <p>Safety is one of the core principles of Rust, and to that end, we would like to ensure that cargo and crates.io have
-    secure implementations. To learn more about disclosing security vulnerabilities for these tools, please reference the
-    <a href='https://www.rust-lang.org/policies/security'>Rust Security policy</a>
-    for more details.</p>
-
-  <p>Note that this policy only applies to official Rust projects like crates.io and cargo, and not individual crates. The
-    crates.io team and the Security Response working group are not responsible for the disclosure of vulnerabilities to
-    specific crates, and if any issues are found, you should seek guidance from the individual crate owners and their
-    specific policies instead.</p>
-
-  <p>Thank you for taking the time to responsibly disclose any issues you find.</p>
+  <p>Please see the <LinkTo @route="security">Security page</LinkTo>.</p>
 
   <h2 id='sexually-obscene-content'>Sexually Obscene Content</h2>
 
diff --git a/app/templates/security.hbs b/app/templates/security.hbs
@@ -0,0 +1,52 @@
+<PageHeader @title='Security Information' />
+
+<TextContent @boxed={{true}}>
+
+  <h2 id='crates-io-security'>Security of crates.io itself</h2>
+
+  <p>Safety is one of the core principles of Rust, and to that end, we would like to ensure that cargo, crates.io, docs.rs, and
+    related tools have secure implementations. To disclose security vulnerabilities in
+    <a href='https://github.com/rust-lang'>any repository in the rust-lang organization</a>, please follow the
+    <a href='https://www.rust-lang.org/policies/security'>Rust Security policy</a>.</p>
+
+    <p>Thank you for taking the time to responsibly disclose any issues you find.</p>
+
+  <h2 id='crate-security'>Security of crates hosted on crates.io</h2>
+
+  <p>To disclose security vulnerabilities found in a crate that is hosted on crates.io, seek guidance from the individual crate's
+    owners and their specific policies. Commonly, projects include a file named <code>SECURITY.md</code> that contains the
+    crate's security policies and procedures.</p>
+
+  <h2 id='rustsec'>Rustsec Security Advisory Database for receiving security updates</h2>
+
+  <p>The <a href="https://rustsec.org/">Rustsec Security Advisory Database</a> maintains advisories about vulnerabilities in
+    crates published on crates.io. Maintained by the <a href="https://www.rust-lang.org/governance/wgs/wg-secure-code">Secure
+    Code Working Group</a>, the information is available in a variety of forms to incorporate into your development practices.
+    See <a href="https://rustsec.org/contributing.html">their steps to submit a vulnerability to the database</a>.</p>
+
+  <h2 id='ecosystem-security-help'>Ecosystem security help for crate authors</h2>
+
+  <p>Security is a value important to the Rust ecosystem as a whole, not just to the Rust language. If you are a crate author and
+    you have received a high impact/severity security bug report for your crate, the Rust Foundation and the Rust Project are
+    available to help manage the situation. The Rust Project or the Rust Foundation may also be the ones reaching out to you, if
+    they have been informed of a security issue.</p>
+
+  <p>As part of its <a href="https://foundation.rust-lang.org/tags/security%20initiative/">Security Initiative</a>, the Rust
+    Foundation:</p>
+
+  <ul>
+    <li>Employs security engineers who can help assessing the problem, developing mitigations, and estimating impact.</li>
+    <li>Has a network of member organizations that can help with testing resources and also employ security experts who can help
+      with assessing and fixing issues.</li>
+    <li>Employs communications staff who can manage publishing notifications and fielding inquiries.</li>
+    <li>Has contacts with government agencies tasked with cybersecurity protections who may have information on exploitation or
+      impact of a security problem.</li>
+  </ul>
+
+  <p>The Rust Project can coordinate actions among other parts of the ecosystem that may need to be updated to address a fix.</p>
+
+  <p>Please reach out to <a href="mailto:contact@rustfoundation.org">contact@rustfoundation.org</a> if either the Rust Project or
+    the Rust Foundation can help you by providing security support in the areas listed above or in another way! These are just a
+    few examples of the kind of help available to crate authors facing security challenges.</p>
+
+</TextContent>
