From 5c50892dc6d5e3d5d772f971897a4c88e3541497 Mon Sep 17 00:00:00 2001
From: Wyatt Preul <wpreul@gmail.com>
Date: Fri, 30 Jan 2015 21:49:53 -0600
Subject: [PATCH 1/2] security: Adding page to about section

---
 doc/about.html                |  1 +
 doc/about/security/index.json |  1 +
 doc/about/security/index.md   | 57 +++++++++++++++++++++++++++++++++++
 3 files changed, 59 insertions(+)
 create mode 100644 doc/about/security/index.json
 create mode 100644 doc/about/security/index.md

diff --git a/doc/about.html b/doc/about.html
index 8739089..cb998bc 100644
--- a/doc/about.html
+++ b/doc/about.html
@@ -40,6 +40,7 @@
           <li><a href="/about/core-team/">Core Team</a></li>
           <li><a href="/about/resources/">Resources</a></li>
           <li><a href="/about/advisory-board/">Advisory Board</a></li>
+          <li><a href="/about/security/">Security</a></li>
         </ul>
       </div>
       <div id="column1" class="interior">
diff --git a/doc/about/security/index.json b/doc/about/security/index.json
new file mode 100644
index 0000000..537deb5
--- /dev/null
+++ b/doc/about/security/index.json
@@ -0,0 +1 @@
+{ "template": "doc/about.html", "title": "Security" }
\ No newline at end of file
diff --git a/doc/about/security/index.md b/doc/about/security/index.md
new file mode 100644
index 0000000..9af18ef
--- /dev/null
+++ b/doc/about/security/index.md
@@ -0,0 +1,57 @@
+# Security
+
+## Reporting a Bug
+
+All security bugs in Node.js are taken seriously and should be reported by emailing [security@nodejs.org](mailto:security@nodejs.org).
+This will be delivered to a subset of the core team who handle security issues.
+
+Your email will be acknowledged within 24 hours, and you’ll receive a more detailed response to your email within 48
+hours indicating the next steps in handling your report.
+
+After the initial reply to your report, the security team will endeavor to keep you informed of the progress being made
+towards a fix and full announcement, and may ask for additional information or guidance surrounding the reported issue.
+These updates will be sent at least every five days, in practice, this is more likely to be every 24-48 hours.
+
+Security bugs in third party modules should be reported to their respective maintainers and can also be coordinated
+through the [Node Security Project](https://nodesecurity.io).
+
+Thank you for improving the security of Node.js. Your efforts and responsible disclosure are greatly appreciated and
+will be acknowledged.
+
+
+## Disclosure Policy
+
+Here is the security disclosure policy for Node.js
+
+- The security report is received and is assigned a primary handler. This person will coordinate the fix and release
+process. The problem is confirmed and a list of all affected versions is determined. Code is audited to find any
+potential similar problems. Fixes are prepared for all releases which are still under maintenance. These fixes are not
+committed to the public repository but rather held locally pending the announcement.
+
+- A suggested embargo date for this vulnerability is chosen and a CVE (Common Vulnerabilities and  Exposures (CVE®))
+is requested for the vulnerability.
+
+- On the embargo date, the Node.js security mailing list is sent a copy of the announcement. The changes are pushed to
+the public repository and new builds are deployed to nodejs.org. Within 6 hours of the mailing list being notified, a
+copy of the advisory will be published on the Node.js blog.
+
+- Typically the embargo date will be set 72 hours from the time the CVE is issued. However, this may vary depending on
+the severity of the bug or difficulty in applying a fix.
+
+- This process can take some time, especially when coordination is required with maintainers of other projects. Every
+effort will be made to handle the bug in as timely a manner as possible, however, it’s important that we follow the
+release process above to ensure that the disclosure is handled in a consistent manner.
+
+
+## Receiving Security Updates
+
+Security notifications will be distributed via the following methods.
+
+- [http://groups.google.com/group/nodejs-sec](http://groups.google.com/group/nodejs-sec)
+- [http://blog.nodejs.org](http://blog.nodejs.org)
+
+
+## Comments on this Policy
+
+If you have suggestions on how this process could be improved please submit a [pull request](https://github.com/joyent/node-website)
+or email [security@nodejs.org](mailto:security@nodejs.org) to discuss.

From ecfb1be8ff2d80a3b9d84a5b596d06c49a6d175b Mon Sep 17 00:00:00 2001
From: Wyatt Preul <wpreul@gmail.com>
Date: Sat, 31 Jan 2015 12:41:36 -0600
Subject: [PATCH 2/2] Adding link to security from advisory board page

---
 doc/about/advisory-board/template.html | 1 +
 doc/about/security/index.json          | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/doc/about/advisory-board/template.html b/doc/about/advisory-board/template.html
index 96abbfd..c10af90 100644
--- a/doc/about/advisory-board/template.html
+++ b/doc/about/advisory-board/template.html
@@ -42,6 +42,7 @@
           <li><a href="/about/advisory-board/">Advisory Board</a></li>
           <li>&nbsp;&nbsp;&nbsp; - <a href="/about/advisory-board/members/">Members</a></li>
           <li>&nbsp;&nbsp;&nbsp; - <a href="/advisory-board/">Minutes</a></li>
+          <li><a href="/about/security/">Security</a></li>
         </ul>
       </div>
       <div id="column1" class="interior">
diff --git a/doc/about/security/index.json b/doc/about/security/index.json
index 537deb5..befa5ae 100644
--- a/doc/about/security/index.json
+++ b/doc/about/security/index.json
@@ -1 +1 @@
-{ "template": "doc/about.html", "title": "Security" }
\ No newline at end of file
+{ "template": "doc/about.html", "title": "Security" }