From d1c7c550345be473c5788d1014ccd04e01e4bb56 Mon Sep 17 00:00:00 2001
From: Chris Allan <callan@glencoesoftware.com>
Date: Wed, 11 Sep 2024 12:17:31 +0000
Subject: [PATCH 1/7] Remove vague statement

---
 security/index.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/index.html b/security/index.html
index 83970a8fc..297b5970d 100644
--- a/security/index.html
+++ b/security/index.html
@@ -12,7 +12,7 @@
         <div id="secvuln-reporting" class="row">
             <div class="column small-12">
                 <h2>Security Advisories</h2>
-                <p>See our archive of <a href="{{ site.baseurl }}/security/advisories/">past security advisories</a>. There are no vulnerabilities listed for OMERO version 5.6.1 onward.</p>
+                <p>See our archive of <a href="{{ site.baseurl }}/security/advisories/">past security advisories</a>.
                 <h2>How to Report a Security Vulnerability</h2>
                 <p>If you discover a security vulnerability or would like to report a security issue privately and securely, please email us at <code>security@openmicroscopy.org</code>. You can use GPG keys to communicate with us securely. If you do, please upload your GPG public key or supply it to us in some other way, so that we can reply securely too:</p>
                 <div class="callout primary small-12 medium-5">

From bc4528e1a1d70bbd82ac240644648b169a6b7662 Mon Sep 17 00:00:00 2001
From: Chris Allan <callan@glencoesoftware.com>
Date: Wed, 11 Sep 2024 12:37:53 +0000
Subject: [PATCH 2/7] Comment on bug bounties

---
 security/index.html | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/security/index.html b/security/index.html
index 297b5970d..9cc53948f 100644
--- a/security/index.html
+++ b/security/index.html
@@ -23,6 +23,8 @@ <h2>How to Report a Security Vulnerability</h2>
                     </ul>
                 </div>
                 <p>OME takes its responsibility to help keep our users’ data secure very seriously. We strongly encourage people to report any security issues to our private security mailing list.</p>
+                <h2 id="secvuln-bounty">Bug Bounties / Vulnerability Reward Program (VRP)</h2>
+                <p>OME enjoys a close relationship with and supports independent assessment of its products by the security research community. <a href="https://en.wikipedia.org/wiki/Coordinated_vulnerability_disclosure">Responsible disclosure</a> is a key part of this relationship. However, as a predominently academically funded project OME <strong>does not</strong> operate a <em>Bug Bountry</em> or <em>Vulnerability Reward Program (VRP)</em> at this time.</p>
                 <h2>Our Process</h2>
                 <p>Emails sent to us are read and acknowledged with a non-automated response. For issues that are complicated and require significant attention, we will open an investigation and keep you informed of our progress.</p>
                 <p>Details will only be released to the public once we have a fix in place.</p>

From 18f101f5f7a180625a72109b6c84ade6e86f77b0 Mon Sep 17 00:00:00 2001
From: Chris Allan <callan@glencoesoftware.com>
Date: Wed, 11 Sep 2024 12:38:03 +0000
Subject: [PATCH 3/7] Low risk findings

---
 security/index.html | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/security/index.html b/security/index.html
index 9cc53948f..2262f7abf 100644
--- a/security/index.html
+++ b/security/index.html
@@ -29,6 +29,12 @@ <h2>Our Process</h2>
                 <p>Emails sent to us are read and acknowledged with a non-automated response. For issues that are complicated and require significant attention, we will open an investigation and keep you informed of our progress.</p>
                 <p>Details will only be released to the public once we have a fix in place.</p>
                 <p>Please note that the security mailing list should only be used for reporting undisclosed security vulnerabilities in OME products and managing the process of fixing such vulnerabilities. We cannot accept bug reports or other queries at this address. All mail sent to this address that does not relate to a security problem will be ignored.</p>
+                <p>Furthermore, as a public open source project emails related to common or low-risk findings will be ignored. Here are some examples:
+                <ul>
+                    <li>Missing DMARC or other SPAM mitigation DNS records</li>
+                    <li>Clickjacking on its static websites such as <code>www.openmicroscopy.org</code></li>
+                    <li>Example documentation containing perceived sensitive information</li>
+                </ul></p>
                 <p>For bug reports and other issues, please use our public mailing lists and forums.</p>
             </div>
         </div>

From b3abef80912e5382394a23c04d5b63b5e97ca82a Mon Sep 17 00:00:00 2001
From: Chris Allan <callan@glencoesoftware.com>
Date: Wed, 11 Sep 2024 15:36:05 +0000
Subject: [PATCH 4/7] Spelling

---
 security/index.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/index.html b/security/index.html
index 2262f7abf..be9709ab6 100644
--- a/security/index.html
+++ b/security/index.html
@@ -24,7 +24,7 @@ <h2>How to Report a Security Vulnerability</h2>
                 </div>
                 <p>OME takes its responsibility to help keep our users’ data secure very seriously. We strongly encourage people to report any security issues to our private security mailing list.</p>
                 <h2 id="secvuln-bounty">Bug Bounties / Vulnerability Reward Program (VRP)</h2>
-                <p>OME enjoys a close relationship with and supports independent assessment of its products by the security research community. <a href="https://en.wikipedia.org/wiki/Coordinated_vulnerability_disclosure">Responsible disclosure</a> is a key part of this relationship. However, as a predominently academically funded project OME <strong>does not</strong> operate a <em>Bug Bountry</em> or <em>Vulnerability Reward Program (VRP)</em> at this time.</p>
+                <p>OME enjoys a close relationship with and supports independent assessment of its products by the security research community. <a href="https://en.wikipedia.org/wiki/Coordinated_vulnerability_disclosure">Responsible disclosure</a> is a key part of this relationship. However, as a predominantly academically funded project OME <strong>does not</strong> operate a <em>Bug Bounty</em> or <em>Vulnerability Reward Program (VRP)</em> at this time.</p>
                 <h2>Our Process</h2>
                 <p>Emails sent to us are read and acknowledged with a non-automated response. For issues that are complicated and require significant attention, we will open an investigation and keep you informed of our progress.</p>
                 <p>Details will only be released to the public once we have a fix in place.</p>

From 5a94318f126ff31678cef7dd967ae72db9444a29 Mon Sep 17 00:00:00 2001
From: Chris Allan <callan@glencoesoftware.com>
Date: Thu, 12 Sep 2024 09:17:28 +0000
Subject: [PATCH 5/7] Loose the "its"

---
 security/index.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/index.html b/security/index.html
index be9709ab6..cfca39540 100644
--- a/security/index.html
+++ b/security/index.html
@@ -32,7 +32,7 @@ <h2>Our Process</h2>
                 <p>Furthermore, as a public open source project emails related to common or low-risk findings will be ignored. Here are some examples:
                 <ul>
                     <li>Missing DMARC or other SPAM mitigation DNS records</li>
-                    <li>Clickjacking on its static websites such as <code>www.openmicroscopy.org</code></li>
+                    <li>Clickjacking on static websites such as <code>www.openmicroscopy.org</code></li>
                     <li>Example documentation containing perceived sensitive information</li>
                 </ul></p>
                 <p>For bug reports and other issues, please use our public mailing lists and forums.</p>

From d5b32275b4d1ed7c6a60d7a42f9b2d7f9a3479c6 Mon Sep 17 00:00:00 2001
From: Chris Allan <callan@glencoesoftware.com>
Date: Thu, 12 Sep 2024 09:19:26 +0000
Subject: [PATCH 6/7] Add CI example

---
 security/index.html | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/index.html b/security/index.html
index cfca39540..ed2bad483 100644
--- a/security/index.html
+++ b/security/index.html
@@ -34,6 +34,7 @@ <h2>Our Process</h2>
                     <li>Missing DMARC or other SPAM mitigation DNS records</li>
                     <li>Clickjacking on static websites such as <code>www.openmicroscopy.org</code></li>
                     <li>Example documentation containing perceived sensitive information</li>
+                    <li>Information disclosure of public information like GitHub usernames/contributions on <code>ci.openmicroscopy.org</code></li>
                 </ul></p>
                 <p>For bug reports and other issues, please use our public mailing lists and forums.</p>
             </div>

From 5202ed1a0701d39c9d966e45f1b0df0c01b82bc8 Mon Sep 17 00:00:00 2001
From: Chris Allan <callan@glencoesoftware.com>
Date: Fri, 13 Sep 2024 10:36:40 +0000
Subject: [PATCH 7/7] Allow direct linking to process

---
 security/index.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/index.html b/security/index.html
index ed2bad483..0ed98c0fd 100644
--- a/security/index.html
+++ b/security/index.html
@@ -25,7 +25,7 @@ <h2>How to Report a Security Vulnerability</h2>
                 <p>OME takes its responsibility to help keep our users’ data secure very seriously. We strongly encourage people to report any security issues to our private security mailing list.</p>
                 <h2 id="secvuln-bounty">Bug Bounties / Vulnerability Reward Program (VRP)</h2>
                 <p>OME enjoys a close relationship with and supports independent assessment of its products by the security research community. <a href="https://en.wikipedia.org/wiki/Coordinated_vulnerability_disclosure">Responsible disclosure</a> is a key part of this relationship. However, as a predominantly academically funded project OME <strong>does not</strong> operate a <em>Bug Bounty</em> or <em>Vulnerability Reward Program (VRP)</em> at this time.</p>
-                <h2>Our Process</h2>
+                <h2 id="secvuln-process">Our Process</h2>
                 <p>Emails sent to us are read and acknowledged with a non-automated response. For issues that are complicated and require significant attention, we will open an investigation and keep you informed of our progress.</p>
                 <p>Details will only be released to the public once we have a fix in place.</p>
                 <p>Please note that the security mailing list should only be used for reporting undisclosed security vulnerabilities in OME products and managing the process of fixing such vulnerabilities. We cannot accept bug reports or other queries at this address. All mail sent to this address that does not relate to a security problem will be ignored.</p>