Security notice (#767)

Co-authored-by: triphora <emmaffle@modrinth.com>

.github/ISSUE_TEMPLATE/bug_report.yaml

@@ -1,41 +0,0 @@
-name: Bug report
-description: Create a report to help us improve knossos
-labels: [bug]
-body:
-  - type: dropdown
-    attributes:
-      label: Environment
-      options:
-        - Staging
-        - Website
-    validations:
-      required: false
-  - type: textarea
-    attributes:
-      label: Describe the bug
-      description: A clear and concise description of what the bug is.
-    validations:
-      required: false
-  - type: textarea
-    attributes:
-      label: Steps To Reproduce
-      description: Steps to reproduce the behavior.
-      placeholder: |
-        1. Go to '...'
-        2. Click on '....'
-        3. Scroll down to '....'
-        4. See error
-    validations:
-      required: false
-  - type: textarea
-    attributes:
-      label: Expected behavior
-      description: A clear and concise description of what you expected to happen.
-    validations:
-      required: false
-  - type: textarea
-    attributes:
-      label: Additional context
-      description: Add any other context about the problem here.
-    validations:
-      required: false

.github/ISSUE_TEMPLATE/config.yml

@@ -1,8 +0,0 @@
-blank_issues_enabled: true
-contact_links:
-  - name: Discord
-    about: Ask questions on our Discord Server.
-    url: https://discord.gg/EUHuJHt
-  - name: Documentation
-    about: Useful documentation about Modrinth, its API, and how you can contribute.
-    url: https://docs.modrinth.com

.github/ISSUE_TEMPLATE/feature_request.yaml

@@ -1,28 +0,0 @@
-name: Feature request
-description: Suggest an idea for this project
-labels: [feature request]
-body:
-  - type: textarea
-    attributes:
-      label: Is your feature request related to a problem? Please describe.
-      description: A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
-    validations:
-      required: false
-  - type: textarea
-    attributes:
-      label: Describe the solution you'd like
-      description: A clear and concise description of what you want to happen.
-    validations:
-      required: false
-  - type: textarea
-    attributes:
-      label: Describe alternatives you've considered
-      description: A clear and concise description of any alternative solutions or features you've considered.
-    validations:
-      required: false
-  - type: textarea
-    attributes:
-      label: Additional context
-      description: Add any other context or screenshots about the feature request here.
-    validations:
-      required: false

layouts/default.vue

@@ -340,12 +340,7 @@
         <nuxt-link to="/legal/terms">Terms</nuxt-link>
         <nuxt-link to="/legal/privacy">Privacy</nuxt-link>
         <nuxt-link to="/legal/rules">Rules</nuxt-link>
-        <a
+        <nuxt-link to="/legal/security">Security</nuxt-link>
-          :target="$external()"
-          href="https://github.com/modrinth/knossos/blob/master/LICENSE.md"
-        >
-          License
-        </a>
       </div>
       <div class="links links-2" role="region" aria-label="Resources">
         <h4 aria-hidden="true">Resources</h4>

pages/legal.vue

@@ -13,6 +13,9 @@
           <NavStackItem link="/legal/rules" label="Content Rules">
             <RulesIcon />
           </NavStackItem>
+          <NavStackItem link="/legal/security" label="Security Notice">
+            <ShieldIcon />
+          </NavStackItem>
         </NavStack>
       </aside>
     </div>
@@ -29,6 +32,7 @@ import NavStackItem from '~/components/ui/NavStackItem'
 import TermsIcon from '~/assets/images/utils/heart-handshake.svg?inline'
 import PrivacyIcon from '~/assets/images/utils/lock.svg?inline'
 import RulesIcon from '~/assets/images/sidebar/admin.svg?inline'
+import ShieldIcon from '~/assets/images/utils/shield.svg?inline'
 
 export default {
   name: 'Settings',
@@ -38,6 +42,7 @@ export default {
     TermsIcon,
     PrivacyIcon,
     RulesIcon,
+    ShieldIcon,
   },
 }
 </script>

pages/legal/security.vue

@@ -0,0 +1,93 @@
+<template>
+  <div>
+    <h1>Security Notice</h1>
+
+    <p>
+      This is the security notice for all Modrinth repositories. The notice
+      explains how vulnerabilities should be reported.
+    </p>
+    <h2>Reporting a Vulnerability</h2>
+    <p>
+      If you've found a vulnerability, we would like to know so we can fix it
+      before it is released publicly.
+      <strong>Do not open a GitHub issue for a found vulnerability</strong>.
+    </p>
+    <p>
+      Send details to <a href="mailto:jai@modrinth.com">jai@modrinth.com</a>
+      including:
+    </p>
+    <ul>
+      <li>
+        the website, page or repository where the vulnerability can be observed
+      </li>
+      <li>a brief description of the vulnerability</li>
+      <li>
+        optionally the type of vulnerability and any related
+        <a
+          href="https://www.owasp.org/index.php/Category:OWASP_Top_Ten_2017_Project"
+        >
+          OWASP category
+        </a>
+      </li>
+      <li>non-destructive exploitation details</li>
+    </ul>
+    <p>We will do our best to reply as fast as possible.</p>
+    <h2>Scope</h2>
+    <p>The following vulnerabilities <strong>are not</strong> in scope:</p>
+    <ul>
+      <li>
+        volumetric vulnerabilities, for example overwhelming a service with a
+        high volume of requests
+      </li>
+      <li>
+        reports indicating that our services do not fully align with "best
+        practice", for example missing security headers
+      </li>
+    </ul>
+    <p>
+      If you aren't sure, you can still reach out via email or direct message.
+    </p>
+    <hr />
+    <p>
+      This notice is inspired by the
+      <a href="https://www.pythondiscord.com/pages/security-notice/">
+        Python Discord Security Notice</a
+      >.
+    </p>
+    <p><em>Version 2022-11</em></p>
+  </div>
+</template>
+
+<script>
+export default {
+  auth: false,
+  head: {
+    title: 'Security Notice - Modrinth',
+    meta: [
+      {
+        hid: 'description',
+        name: 'description',
+        content:
+          'The Security Notice of Modrinth, an open source modding platform focused on Minecraft.',
+      },
+      {
+        hid: 'apple-mobile-web-app-title',
+        name: 'apple-mobile-web-app-title',
+        content: 'Security Notice',
+      },
+      {
+        hid: 'og:title',
+        name: 'og:title',
+        content: 'Security Notice',
+      },
+      {
+        hid: 'og:url',
+        name: 'og:url',
+        content: `https://modrinth.com/legal/security`,
+      },
+    ],
+  },
+}
+</script>
+
+<style lang="scss" scoped></style>