Add security/CVE page (#192)

ThreeTen · Apr 16, 2024 · adcdbc4 · adcdbc4
1 parent 0cc27b9
commit adcdbc4
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 0 deletions.
diff --git a/src/site/markdown/index.md b/src/site/markdown/index.md
@@ -35,6 +35,7 @@ Various documentation is available:
 
 * The [Javadoc](apidocs/index.html)
 * The [change notes](changes-report.html) for each release
+* The [security](security.html) issues page
 * The [GitHub](https://github.com/ThreeTen/threetenbp) source repository
 * The mechanism to [update](update-tzdb.html) the time-zone information
 

diff --git a/src/site/markdown/security.md b/src/site/markdown/security.md
@@ -0,0 +1,37 @@
+## Threeten-Backport Security
+
+### Security Policy
+
+**Supported Versions**
+
+If a security issue occurs, only the latest version is guaranteed to be patched.
+
+**Reporting a Vulnerability**
+
+To report a security vulnerability, please use the [Tidelift security contact](https://tidelift.com/security).
+Tidelift will coordinate the fix and disclosure.
+
+
+### CVEs
+
+**[CVE-2024-23081](https://www.cve.org/CVERecord?id=CVE-2024-23081)**
+
+This was raised publicly on 2024-04-10.
+There was no prior warning or private disclosure.
+
+The CVE is nonsense. It was raised by an AI-driven bot.
+The CVE describes that a `NullPointerException` is thrown when `null` is passed into a method.
+As any Java developer knows, this is perfectly normal and not a security issue or CVE.
+
+Users of ThreeTen-Backport do not need to take any action as the CVE is invalid.
+
+**[CVE-2024-23082](https://www.cve.org/CVERecord?id=CVE-2024-23082)**
+
+This was raised publicly on 2024-04-10.
+There was no prior warning or private disclosure.
+
+The CVE is nonsense. It was raised by an AI-driven bot.
+The CVE describes that a `StringIndexOutOfBoundsException` is thrown when a certain input is passed into a method.
+As any Java developer knows, this is a perfectly normal exception and not a security issue or CVE.
+
+Users of ThreeTen-Backport do not need to take any action as the CVE is invalid.
diff --git a/src/site/site.xml b/src/site/site.xml
@@ -75,6 +75,7 @@
     <menu name="Releases">
       <item name="Release notes" href="changes-report.html"/>
       <item name="Dependency info" href="dependency-info.html"/>
+      <item name="Security" href="security.html"/>
       <item name="Download" href="https://search.maven.org/search?q=g:org.threeten%20AND%20a:threetenbp&amp;core=gav"/>
     </menu>