From 16aeef1608942137b857b1fa31661106547eeb29 Mon Sep 17 00:00:00 2001 From: Reinier Zwitserloot Date: Mon, 17 Dec 2018 22:50:44 +0100 Subject: [website] Added security vulnerability disclosure page --- website/extra/htaccess | 4 ++++ website/resources/.well-known/security.txt | 4 ++++ website/resources/js/supporters.js | 2 +- website/templates/_scaffold.html | 5 +++-- website/templates/contact.html | 19 +++++++++++++++++++ website/templates/contributing/index.html | 3 +++ website/templates/security.html | 18 ++++++++++++++++++ 7 files changed, 52 insertions(+), 3 deletions(-) create mode 100644 website/resources/.well-known/security.txt create mode 100644 website/templates/contact.html create mode 100644 website/templates/security.html (limited to 'website') diff --git a/website/extra/htaccess b/website/extra/htaccess index f2abad2d..e7b54de4 100644 --- a/website/extra/htaccess +++ b/website/extra/htaccess @@ -24,6 +24,10 @@ RewriteRule ^disable-checked-exceptions$ /disable-checked-exceptions.html [L,END RewriteRule ^disable-checked-exceptions(\.html)?/?$ /disable-checked-exceptions [NC,R=301] RewriteRule ^supporters$ /supporters.html [L,END] RewriteRule ^supporters(.html)?/?$ /supporters [NC,R=301] +RewriteRule ^security$ /security.html [L,END] +RewriteRule ^security(.html)?/?$ /security [NC,R=301] +RewriteRule ^contact$ /contact.html [L,END] +RewriteRule ^contact(.html)?/?$ /contact [NC,R=301] RewriteRule ^order-license-info$ /order-license-info.html [L,END] RewriteRule ^order-?license-?info(.html)?/?$ /order-license-info [NC,R=301] RewriteRule ^order-license$ /order-license.html [L,END] diff --git a/website/resources/.well-known/security.txt b/website/resources/.well-known/security.txt new file mode 100644 index 00000000..256f50fd --- /dev/null +++ b/website/resources/.well-known/security.txt @@ -0,0 +1,4 @@ +Contact: https://tidelift.com/security +Contact: mailto:info@projectlombok.org + +# If encrypted communication is required, let us know and we'll provide a public GPG key. diff --git a/website/resources/js/supporters.js b/website/resources/js/supporters.js index 62beca81..6d770905 100644 --- a/website/resources/js/supporters.js +++ b/website/resources/js/supporters.js @@ -214,7 +214,7 @@ }); if (s.children().length < 1) { var x = $("
").addClass("noSupportersBox").html( - "We don't have any supporters yet this month.
Become a patron " + + "We don't have any supporters yet this month.
Become a patron " + "or order a professional or enterprise license today!"); s.append(x); } diff --git a/website/templates/_scaffold.html b/website/templates/_scaffold.html index 65b2fb7f..be004744 100644 --- a/website/templates/_scaffold.html +++ b/website/templates/_scaffold.html @@ -100,9 +100,10 @@ ga('send', 'pageview');
  • Community
  • diff --git a/website/templates/contact.html b/website/templates/contact.html new file mode 100644 index 00000000..584c41bf --- /dev/null +++ b/website/templates/contact.html @@ -0,0 +1,19 @@ +<#import "/_scaffold.html" as main> +<@main.scaffold title="Contacting the team behind Project Lombok"> +
    +
    +
    +

    + Project Lombok is an open source project, maintained primarily by Roel Spilker and Reinier Zwitserloot. We have day jobs and don't get paid much for Project Lombok's maintenance. Please keep this in mind when contacting us; we're doing it out of love. +

    + To contact us,

      +
    • There's a forum; we read and respond here.
      • +
    • If you have a feature request or bug report, please file it on our github bug tracker.
      • +
    • If you have a security vulnerability to report, please contact us via our security vulnerability disclosure page.
      • +
    • We love giving presentations, about lombok, or even just general java things. Send us a mail if you want to invite us to do a talk.
      • +
    +

    +
    +
    +
    + diff --git a/website/templates/contributing/index.html b/website/templates/contributing/index.html index 4f6a1bca..c6c85483 100644 --- a/website/templates/contributing/index.html +++ b/website/templates/contributing/index.html @@ -13,5 +13,8 @@ Discusses how lombok ends up being invoked, and how it gets around to transforming code being compiled / edited.
    • +
    + More documentation can be found on the project lombok github wiki. +
    diff --git a/website/templates/security.html b/website/templates/security.html new file mode 100644 index 00000000..8eb2b3f7 --- /dev/null +++ b/website/templates/security.html @@ -0,0 +1,18 @@ +<#import "/_scaffold.html" as main> +<@main.scaffold title="Security Vulnerabilities"> +
    +
    +
    +

    + Lombok is a build-time only dependency; there is no need for lombok.jar to be available when your application is run, it just needs to be there when you compile your code. +

    + Therefore, lombok is highly unlikely to be a source of security vulnerabilities. +

    + Nevertheless, if you have a concern or found a vulnerability, please disclose the vulnerability privately. We would like to coordinate with you so that we can release a fix for the vulnerability together with the disclosure of the vulnerability to the public. As an open source project we are not currently able to offer a monetary reward, but we will acknowledge your contribution (and we'll owe you a refreshing beverage of your choice, of course!), and work with you to set a reasonable timeline for a fix. +

    + If you want to report a vulnerability, please contact the tidelift security team. Alternatively, you can contact us directly via info@projectlombok.org. +

    +
    +
    +
    + -- cgit