Include the security policy on the site.

jamezp · jamezp · commit 198277c701e6 · 2026-03-25T10:57:27.000-07:00
Signed-off-by: James R. Perkins &lt;jperkins@ibm.com&gt;
diff --git a/content/security.md b/content/security.md
@@ -0,0 +1,35 @@
+---
+layout: default
+title: Security Policy
+---
+
+<!-- IMPORTANT: This content is also maintained in https://github.com/resteasy/.github/blob/main/SECURITY.md - keep both files in sync! -->
+
+# Security Policy
+
+## The RESTEasy community and our sponsor, Commonhaus Foundation, take security bugs very seriously
+
+We aim to take immediate action to address serious security-related problems that involve our projects.
+
+## Reporting Security Issues
+
+When reporting a security vulnerability it is important to not accidentally broadcast to the world that the issue exists, 
+as this makes it easier for people to exploit it. The software industry uses the term [embargo](https://www.redhat.com/en/blog/security-embargoes-red-hat) 
+to describe the time a security issue is known internally until it is public knowledge.
+
+Our preferred way of reporting security issues in RESTEasy and its related projects is listed below.
+
+### Email the mailing list
+
+The list at [resteasy-security@redhat.com](mailto:resteasy-security@redhat.com) is the preferred mechanism for outside
+users to report security issues. A member of the RESTEasy team will open the required issues.
+
+### Other considerations
+
+If you would like to work with us on a fix for the security vulnerability, please include your GitHub username in the 
+above email, and we will provide you access to a temporary private fork where we can collaborate on a fix without it 
+being disclosed publicly, **including in your own publicly visible git repository**.
+
+Do not open a public issue, send a pull request, or disclose any information about the suspected vulnerability publicly, 
+**including in your own publicly visible git repository**. If you discover any publicly disclosed security 
+vulnerabilities, please notify us immediately through [resteasy-security@redhat.com](mailto:resteasy-security@redhat.com).
diff --git a/templates/partials/footer.html b/templates/partials/footer.html
@@ -38,7 +38,7 @@
                         <a href="https://www.apache.org/licenses/LICENSE-2.0" class="license-badge">
                             <i class="fas fa-balance-scale"></i> Apache License 2.0
                         </a>
-                        <a href="https://www.jboss.org/security.html" class="security-link">
+                        <a href="{site.url('/security').absolute}" class="security-link">
                             <i class="fas fa-shield-alt"></i> Security
                         </a>
                     </div>
