[website] Added security vulnerability disclosure page

1 files changed, 18 insertions, 0 deletions

diff --git a/website/templates/security.html b/website/templates/security.html
new file mode 100644
index 00000000..8eb2b3f7
--- /dev/null
+++ b/website/templates/security.html
@@ -0,0 +1,18 @@
+<#import "/_scaffold.html" as main>
+<@main.scaffold title="Security Vulnerabilities">
+	<div class="page-header top5">
+		<div>
+			<div class="row">
+				<p>
+					Lombok is a build-time only dependency; there is no need for <code>lombok.jar</code> to be available when your application is run, it just needs to be there when you compile your code.
+				</p><p>
+					Therefore, lombok is highly unlikely to be a source of security vulnerabilities.
+				</p><p>
+					Nevertheless, if you have a concern or found a vulnerability, please disclose the vulnerability privately. We would like to coordinate with you so that we can release a fix for the vulnerability together with the disclosure of the vulnerability to the public. As an open source project we are not currently able to offer a monetary reward, but we will acknowledge your contribution (and we'll owe you a refreshing beverage of your choice, of course!), and work with you to set a reasonable timeline for a fix.
+				</p><p>
+					If you want to report a vulnerability, please contact the <a href="https://tidelift.com/security">tidelift security team</a>. Alternatively, you can contact us directly via <a href="mailto:info@projectlombok.org">info@projectlombok.org</a>.
+				</p>
+			</div>
+		</div>
+	</div>
+</@main.scaffold>