diff --git a/config.toml b/config.toml
index 1129254ba713abf153e98b669bb071e47b854ef8..3fd929da3b86cceb6059855ad85f498a7414acb1 100644
--- a/config.toml
+++ b/config.toml
@@ -180,3 +180,29 @@ pluralizeListTitles = false
weight = 1
+[[menu.sidebar]]
+ identifier = "security"
+ name = "Security"
+ url = "/security"
+ weight = 1
+
+[[menu.sidebar]]
+ parent = "security"
+ name = "Mail the Security Team"
+ url = "mailto:security@eclipse-foundation.org"
+ pre = "<i class=\"fa fa-caret-right fa-fw\"></i>"
+ weight = 1
+
+[[menu.sidebar]]
+ parent = "security"
+ name = "Team Members"
+ url = "/security/team"
+ pre = "<i class=\"fa fa-caret-right fa-fw\"></i>"
+ weight = 2
+
+[[menu.sidebar]]
+ parent = "security"
+ name = "Policy"
+ url = "/security/policy"
+ pre = "<i class=\"fa fa-caret-right fa-fw\"></i>"
+ weight = 3
diff --git a/config/nginx/default.conf b/config/nginx/default.conf
index 2055c8f24a31417cfa7fa9927d6bfa57b991dce3..f8572a2087ee55ec5605b381431d4c2ba6f5c0e3 100644
--- a/config/nginx/default.conf
+++ b/config/nginx/default.conf
@@ -83,6 +83,13 @@ server {
# www.eclipse.org/openchain
rewrite /projects/openchain /openchain redirect;
+ # www.eclipse.org/security
+ # https://git.eclipse.org/c/www.eclipse.org/security.git/tree/
+ rewrite /security/index.php /security/ redirect;
+ rewrite /security/team.php /security/team/ redirect;
+ rewrite /security/report.php /security/report/ redirect;
+ rewrite /security/known.php /security/known/ redirect;
+
root /usr/share/nginx/html/;
index index.html index.htm;
}
@@ -95,4 +102,4 @@ server {
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
-}
\ No newline at end of file
+}
diff --git a/content/security/_index.md b/content/security/_index.md
new file mode 100644
index 0000000000000000000000000000000000000000..8b52b13e0671995cd1b3d09b2722763f13e85e49
--- /dev/null
+++ b/content/security/_index.md
@@ -0,0 +1,49 @@
+---
+title: Eclipse Vulnerability Reporting
+keywords: ['report', 'vulnerability']
+hide_page_title: true
+layout: single
+---
+
+# How to report a vulnerability?
+
+If you would like to report a security vulnerability in an Eclipse Foundation
+project, first check the project's repository for the `SECURITY.md` file and
+follow specific instructions for that project. If there is no specific
+information there, you have two options. Either report the issue by email to
+the [Eclipse Foundation Security Team](mailto:security@eclipse-foundation.org),
+or use the [dedicated issue tracker](https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/new?issuable_template=new_vulnerability).
+
+## Additional Information
+
+The **Eclipse Foundation Security Team** provides help and advice to Eclipse
+Foundation projects on vulnerability issues and is the first point of contact
+for handling security vulnerabilities. Members of the Eclipse Foundation
+Security Team are selected amongs committers on Eclipse Projects, members of
+the Eclipse Architecture Council, and Eclipse Foundation staff.
+
+The general security mailing list address is <security@eclipse-foundation.org>.
+Members of the Eclipse Foundation Security Team will receive messages sent to
+this address. This address should be used only for reporting undisclosed
+vulnerabilities; regular issue reports and questions unrelated to
+vulnerabilities in Eclipse Foundation software will be ignored. Note that this
+email set to this address is not encrypted.
+
+**Note that, as a matter of policy, the security team does not open attachments.**
+
+The community is also encouraged to report vulnerabilities using the [Eclipse
+Foundation's issue tracker](https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/new?issuable_template=new_vulnerability).
+Note that you will need an Eclipse Foundation account to create an issue report
+([create an account here if you do not have one](https://accounts.eclipse.org/user/register?destination=user)),
+but by doing so you will be able to participate directly in the resolution of
+the issue.
+
+Issue reports related to vulnerabilities must be marked as "confidential",
+either automatically by clicking the provided link by the reporter, or by a
+committer during the triage process.
+
+## Disclosure
+
+The timing and manner of disclosure is governed by the [Eclipse Foundation Vulnerability Reporting Policy](/security/policy).
+
+Publicly disclosed issues are listed on the [Disclosed Vulnerabilities page](/security/known).
diff --git a/content/security/policy/index.md b/content/security/policy/index.md
new file mode 100644
index 0000000000000000000000000000000000000000..8ebb7ba3990563b1cc591b3f709c82b9af8e5f58
--- /dev/null
+++ b/content/security/policy/index.md
@@ -0,0 +1,165 @@
+---
+title: Eclipse Foundation Vulnerability Reporting Policy
+seo_title: Vulnerability Reporting Policy | Eclipse Foundation
+keywords: [eclipse, project, security]
+tags: [eclipse, project, security]
+---
+
+Version 1.1 February 4/2020
+
+## Overview
+
+The purpose of the Eclipse Vulnerability Reporting Policy is to set forth the
+general principles under which the Eclipse Foundation manages the reporting,
+management, discussion, and disclosure of Vulnerabilities discovered in Eclipse
+software. This Vulnerability Reporting Policy applies to all software
+distributed by the Eclipse Foundation, including all software authored by
+Eclipse Committers and third-parties. This Eclipse Vulnerability Reporting
+Policy should at all times be interpreted in a manner that is consistent with
+the Purposes of the Eclipse Foundation as set forth in the
+[Eclipse Foundation Bylaws](/org/documents/eclipse_foundation-bylaws.pdf) and
+the [Eclipse Foundation Development Process](/org/projects/dev_process/).
+
+## Terms
+
+**Security Team**
+
+The Security Team, or "Eclipse Security Team" is the team tasked with security
+and Vulnerability management on behalf of the Eclipse community.
+
+**Vulnerability**
+
+This policy uses the ISO 27005 definition of Vulnerability: "A weakness of an
+asset or group of assets that can be exploited by one or more threats."
+
+Other terms used in this document are defined in the
+[Eclipse Foundation Development Process](/projects/dev_process/).
+
+## Eclipse Security Team
+
+The Eclipse Security Team is the first line of defense: it is effectively a
+triage unit with security and Vulnerability management expertise. The Security
+Team exists to provide assistance; Vulnerabilities are addressed and resolved by
+project committers with guidance and assistance from the Security Team.
+
+The Security Team is composed of a small number of security experts and
+representatives from the Project Management Committees. All members are
+appointed by EMO(ED) or their designate.
+
+## Discussion
+
+The Eclipse Foundation is responsible for establishing communication channels
+for the Security Team.
+
+Every potential issue reported on established communication channels should be
+triaged and relevant parties notified. Initial discussion of a potential
+Vulnerability may occur privately amongst members of the project and Security
+Team. Discussion should be moved to and tracked by an Eclipse
+Foundation-supported issue tracker as early as possible once confirmed so the
+mitigation process may proceed. Appropriate effort must be undertaken to ensure
+the initial visibility, as well as the legitimacy, of every reported issue.
+
+## Resolution
+
+A Vulnerability is considered resolved when either a patch or workaround is
+available, or it is determined that a fix is not possible or desirable.
+
+It is left to the discretion of the Security Team and Project Leadership Chain
+to determine what subset of the project team are best suited to resolve
+Vulnerabilities. The Security Team and project leaders may also — at their
+discretion — assemble external resources (e.g. subject matter experts) or call on
+the expertise of the Eclipse Architecture Council.
+
+In the unlikely event that a project team does not engage in good faith to
+resolve a disclosed Vulnerability, an Eclipse Foundation member may — at their
+discretion — engage in the Grievance Process as defined by the
+[Eclipse Foundation Development Process](/projects/dev_process/).
+
+## Distribution
+
+Once a Vulnerability has been resolved, the updated software must be made
+available to the community.
+
+At a minimum, updated software must be made available via normal project
+distribution channels.
+
+## Disclosure
+
+Disclosure is initially limited to the reporter and all Eclipse Committers, but
+may be expanded to include other individuals.
+
+All Vulnerabilities must be disclosed, regardless of the resolution. Users and
+administrators of Eclipse software must be made aware that a Vulnerability
+exists so they may assess risk, and take the appropriate action to protect their
+users, servers and systems from potential exploit.
+
+### Timing
+
+The timing of disclosure is left to the discretion of the Project Leadership
+Chain. In the absence of specific guidance from the Project Leadership Chain,
+the following guidelines are recommended:
+
+- Vulnerabilities for which there is a patch, workaround or fix, should be
+ disclosed to the community immediately; and
+- Vulnerabilities — regardless of state — must be disclosed to the
+ community after a maximum three months.
+
+Vulnerabilities need not necessarily be resolved at the time of disclosure.
+
+### Quiet Disclosure
+
+A Vulnerability may be quietly disclosed by simply removing visibility
+restrictions.
+
+In general, quiet disclosure is appropriate only for issues that are identified
+by a committer as having been erroneously marked as Vulnerabilities.
+
+### Progressive Disclosure
+
+Knowledge of a Vulnerability can be extended to specific individuals before it
+is reported to the community. A Vulnerability may — at the discretion of the
+committer — be disclosed to specific individuals. A committer may, for example,
+provide access to a subject-matter expert to solicit help or advice. A
+Vulnerability may also be disclosed to known adopters to allow them an
+opportunity to mitigate their immediate risk and prepare for a forthcoming
+resolution.
+
+### Full Disclosure
+
+All Vulnerabilities must eventually be fully disclosed to the community at
+large.
+
+To complete the disclosure of a Vulnerability, all restrictions on visibility
+must be removed and the Vulnerability reported via channels provided by the
+Eclipse Foundation.
+
+### Reporting
+
+A project team may, at their discretion, opt to disclose a Vulnerability to a
+reporting authority.
+
+The EMO will determine how to engage with Vulnerability reporting authorities.
+
+## History
+
+Changes made in this document:
+
+### Change Log
+
+#### [2019] - 2019-03-06 (version 1.1)
+
+##### Changes
+
+- Changed the name from "Security Policy" to "Vulnerability Reporting Policy"
+- Formalized terms into their own section.
+- Changed several occurances of the word "can" to "may" to improve clarity.
+
+##### Added
+
+- Added a pointer to the Grievance Handling section of the Eclipse Foundation Development Process.
+
+##### Removed
+
+- Removed references to specific technology (e.g., Bugzilla or specific mailing
+ lists). These are implementation details.
+- Removed references to the Eclipse Planning Council and Simultaneous Release.
diff --git a/content/security/team/_index.md b/content/security/team/_index.md
new file mode 100644
index 0000000000000000000000000000000000000000..f93814e681b6731cfdce81b892336701677de78b
--- /dev/null
+++ b/content/security/team/_index.md
@@ -0,0 +1,13 @@
+---
+title: Eclipse Foundation Security Team
+seo_title: Security Team | Security | Eclipse Foundation
+---
+
+## Staff Members
+
+{{< pages/security/team type="staff" >}}
+
+
+## Community Members
+
+{{< pages/security/team type="community" >}}
diff --git a/data/security/team.yml b/data/security/team.yml
new file mode 100644
index 0000000000000000000000000000000000000000..8663150d46b5945adb6ea5a36afc1c4a6c93aa35
--- /dev/null
+++ b/data/security/team.yml
@@ -0,0 +1,137 @@
+# Copyright (c) 2023 Eclipse Foundation, Inc.
+
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License v. 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0.
+#
+# Contributors:
+# Olivier Goulet <olivier.goulet@eclipse-foundation.org>
+#
+# SPDX-License-Identifier: EPL-2.0
+
+# Associate icons and text for appending to link types
+link_types:
+ eclipse:
+ icon: fa fa-user
+ postfix: (eclipse.org)
+ eclipse_gitlab:
+ icon: fa fa-gitlab
+ postfix: (gitlab.eclipse.org)
+ github:
+ icon: fa fa-github
+ postfix: (github.com)
+ twitter:
+ icon: fa fa-twitter
+ mastodon:
+ icon: fa fa-square-share-o
+ website:
+ icon: fa fa-safari
+ email:
+ icon: fa fa-envelope-o
+ pgp:
+ icon: fa fa-id-card-o
+ linkedin:
+ icon: fa fa-linkedin
+ postfix: (LinkedIn)
+
+# Security team members
+staff:
+ - name: Mikaël Barbero
+ image: https://eclipse.org/org/foundation/images_staff/mikael.jpg
+ links:
+ - text: mbarbero
+ type: eclipse
+ url: https://accounts.eclipse.org/users/mbarbero
+ - text: mbarbero
+ type: eclipse_gitlab
+ url: https://gitlab.eclipse.org/mbarbero
+ - text: mbarbero
+ type: github
+ url: https://github.com/mbarbero
+ - text: "@mikbarbero"
+ type: twitter
+ url: https://twitter.com/mikbarbero
+ - text: "@mbarbero@hachyderm.io"
+ type: mastodon
+ url: https://hachyderm.io/@mbarbero
+ - text: mikael.barbero.tech
+ type: website
+ url: https://mikael.barbero.tech
+ - text: mikael.barbero@eclipse-foundation.org
+ type: email
+ url: mailto:mikael.barbero@eclipse-foundation.org
+ - text: 3FAF B6A7 46AB 3E21 FDE0 E9E8 E1E6 5F0B 59A4 C4FB
+ type: pgp
+ url: https://keys.openpgp.org/search?q=3FAFB6A746AB3E21FDE0E9E8E1E65F0B59A4C4FB
+ - name: Tiago Lucas
+ image: https://www.eclipse.org/org/foundation/images_staff/tiago-lucas.jpg
+ links:
+ - text: tiagolucas
+ type: eclipse
+ url: https://eclipse.org/user/tiagolucas
+ - text: tiagolucas
+ type: eclipse_gitlab
+ url: https://gitlab.eclipse.org/tiagolucas
+ - text: TiagoLucas22478
+ type: github
+ url: https://github.com/TiagoLucas22478
+ - text: tiagoslucas.medium.com
+ type: website
+ url: https://tiagoslucas.medium.com
+ - text: tiago.lucas@eclipse-foundation.org
+ type: email
+ url: mailto:tiago.lucas@eclipse-foundation.org
+ - name: Thomas Neidhart
+ image: https://www.eclipse.org/org/foundation/images_staff/thomas-neidhart.png
+ links:
+ - text: netomi
+ type: eclipse
+ url: https://accounts.eclipse.org/users/netomi
+ - text: netomi
+ type: eclipse_gitlab
+ url: https://gitlab.eclipse.org/netomi
+ - text: netomi
+ type: github
+ url: https://github.com/netomi
+ - text: netomi.github.io
+ type: website
+ url: https://netomi.github.io
+ - text: thomas.neidhart@eclipse-foundation.org
+ type: email
+ url: mailto:thomas.neidhart@eclipse-foundation.org
+ - name: Francisco Peréz
+ image: https://www.eclipse.org/org/foundation/images_staff/francisco-perez.jpg
+ links:
+ - text: fcojperez
+ type: eclipse
+ url: https://accounts.eclipse.org/users/fcojperez
+ - text: fcojperez
+ type: eclipse_gitlab
+ url: https://gitlab.eclipse.org/fcojperez
+ - text: fperezel
+ type: github
+ url: https://github.com/fperezel
+ - text: Francisco Peréz
+ type: linkedin
+ url: https://www.linkedin.com/in/fcojperez
+ - text: francisco.perez@eclipse-foundation.org
+ type: email
+ url: mailto:francisco.perez@eclipse-foundation.org
+ - name: Marta Rybczynska
+ image: https://www.eclipse.org/org/foundation/images_staff/marta-rybczynska.jpg
+ links:
+ - text: mrybczyn
+ type: eclipse
+ url: https://accounts.eclipse.org/users/mrybczyn
+ - text: mrybczyn
+ type: eclipse_gitlab
+ url: https://gitlab.eclipse.org/mrybczyn
+ - text: mrybczyn
+ type: github
+ url: https://github.com/mrybczyn
+ - text: marta.rybczynska@eclipse-foundation.org
+ type: email
+ url: mailto:marta.rybczynska@eclipse-foundation.org
+
+# Community members
+community: []
diff --git a/layouts/shortcodes/pages/security/team.html b/layouts/shortcodes/pages/security/team.html
new file mode 100644
index 0000000000000000000000000000000000000000..3b90dcff2a533f5ddef1868c5e9ee0f1e2568103
--- /dev/null
+++ b/layouts/shortcodes/pages/security/team.html
@@ -0,0 +1,66 @@
+{{/*
+ Copyright (c) 2023 Eclipse Foundation, Inc.
+
+ This program and the accompanying materials are made available under the
+ terms of the Eclipse Public License v. 2.0 which is available at
+ http://www.eclipse.org/legal/epl-2.0.
+
+ Contributors:
+ Olivier Goulet <olivier.goulet@eclipse-foundation.org>
+
+ SPDX-License-Identifier: EPL-2.0
+*/}}
+
+{{ $type := .Get "type" }}
+{{ $team_members := index .Site.Data.security.team $type }}
+{{ $data := .Site.Data.security.team }}
+
+<section class="row">
+ {{ if eq (len $team_members) 0 }}
+ <div class="col-xs-24">
+ <p>No {{ $type }} members to display at this time.</p>
+ </div>
+ {{ else }}
+ {{ range $team_members }}
+ {{ $eclipse_username := "" }}
+ {{ range .links }}
+ {{ if eq .type "eclipse" }}
+ {{ $eclipse_username = .text }}
+ {{ end }}
+ {{ end }}
+
+ <div class="media clearfix">
+ <div class="col-xs-5 col-sm-4">
+ <a href="https://www.eclipse.org/user/{{ $eclipse_username }}">
+ <img
+ class="img-thumbnail img-responsive margin-top-20"
+ src="{{ .image }}"
+ alt="{{ .name }}"
+ />
+ </a>
+ </div>
+ <div class="col-xs-19 col-sm-20">
+ <div class="media-body">
+ <a href="/user/{{ $eclipse_username }}">
+ <h3 id="{{ $eclipse_username }}">
+ {{ .name }}
+ <i class="fa fa-link" aria-hidden="true"></i>
+ </h3>
+ </a>
+ <dl>
+ {{ range .links }}
+ {{ $type := index $data.link_types .type }}
+ <dt>
+ <a href="{{ .url }}">
+ <i class="{{ $type.icon }}" aria-hidden="true"></i>
+ {{ .text }}{{ $type.postfix }}
+ </a>
+ </dt>
+ {{ end }}
+ </dl>
+ </div>
+ </div>
+ </div>
+ {{ end }}
+ {{ end }}
+</section>