Security notice (#767)

Co-authored-by: triphora <emmaffle@modrinth.com>
2022-11-26 18:16:34 -08:00
parent de170ebdd2
commit 8f137cf49d
6 changed files with 99 additions and 83 deletions
--- a/pages/legal.vue
+++ b/pages/legal.vue
@@ -13,6 +13,9 @@
          <NavStackItem link="/legal/rules" label="Content Rules">
            <RulesIcon />
          </NavStackItem>
+          <NavStackItem link="/legal/security" label="Security Notice">
+            <ShieldIcon />
+          </NavStackItem>
        </NavStack>
      </aside>
    </div>
@@ -29,6 +32,7 @@ import NavStackItem from '~/components/ui/NavStackItem'
 import TermsIcon from '~/assets/images/utils/heart-handshake.svg?inline'
 import PrivacyIcon from '~/assets/images/utils/lock.svg?inline'
 import RulesIcon from '~/assets/images/sidebar/admin.svg?inline'
+import ShieldIcon from '~/assets/images/utils/shield.svg?inline'

 export default {
  name: 'Settings',
@@ -38,6 +42,7 @@ export default {
    TermsIcon,
    PrivacyIcon,
    RulesIcon,
+    ShieldIcon,
  },
 }
 </script>
--- a/pages/legal/security.vue
+++ b/pages/legal/security.vue
@@ -0,0 +1,93 @@
+<template>
+  <div>
+    <h1>Security Notice</h1>
+
+    <p>
+      This is the security notice for all Modrinth repositories. The notice
+      explains how vulnerabilities should be reported.
+    </p>
+    <h2>Reporting a Vulnerability</h2>
+    <p>
+      If you've found a vulnerability, we would like to know so we can fix it
+      before it is released publicly.
+      <strong>Do not open a GitHub issue for a found vulnerability</strong>.
+    </p>
+    <p>
+      Send details to <a href="mailto:jai@modrinth.com">jai@modrinth.com</a>
+      including:
+    </p>
+    <ul>
+      <li>
+        the website, page or repository where the vulnerability can be observed
+      </li>
+      <li>a brief description of the vulnerability</li>
+      <li>
+        optionally the type of vulnerability and any related
+        <a
+          href="https://www.owasp.org/index.php/Category:OWASP_Top_Ten_2017_Project"
+        >
+          OWASP category
+        </a>
+      </li>
+      <li>non-destructive exploitation details</li>
+    </ul>
+    <p>We will do our best to reply as fast as possible.</p>
+    <h2>Scope</h2>
+    <p>The following vulnerabilities <strong>are not</strong> in scope:</p>
+    <ul>
+      <li>
+        volumetric vulnerabilities, for example overwhelming a service with a
+        high volume of requests
+      </li>
+      <li>
+        reports indicating that our services do not fully align with "best
+        practice", for example missing security headers
+      </li>
+    </ul>
+    <p>
+      If you aren't sure, you can still reach out via email or direct message.
+    </p>
+    <hr />
+    <p>
+      This notice is inspired by the
+      <a href="https://www.pythondiscord.com/pages/security-notice/">
+        Python Discord Security Notice</a
+      >.
+    </p>
+    <p><em>Version 2022-11</em></p>
+  </div>
+</template>
+
+<script>
+export default {
+  auth: false,
+  head: {
+    title: 'Security Notice - Modrinth',
+    meta: [
+      {
+        hid: 'description',
+        name: 'description',
+        content:
+          'The Security Notice of Modrinth, an open source modding platform focused on Minecraft.',
+      },
+      {
+        hid: 'apple-mobile-web-app-title',
+        name: 'apple-mobile-web-app-title',
+        content: 'Security Notice',
+      },
+      {
+        hid: 'og:title',
+        name: 'og:title',
+        content: 'Security Notice',
+      },
+      {
+        hid: 'og:url',
+        name: 'og:url',
+        content: `https://modrinth.com/legal/security`,
+      },
+    ],
+  },
+}
+</script>
+
+<style lang="scss" scoped></style>