From 887bc3c23522b39098138314c39a00dfd5689a4f Mon Sep 17 00:00:00 2001
From: Matthias Mair <code@mjmair.com>
Date: Sun, 4 May 2025 23:20:09 +0200
Subject: [PATCH] refactor(docs): better security linking and references for
 docs (#9621)

* Update SECURITY.md with link

* restructure headers and add hall of fame

* add cpe/cve policy

* add CoC and Security Policy links in readme

* update contributing link

* add link to Threat Model

* update dead links
---
 README.md             | 17 ++++++++++++-----
 SECURITY.md           | 10 +++++++++-
 docs/docs/security.md | 13 ++++++++++---
 3 files changed, 31 insertions(+), 9 deletions(-)

diff --git a/README.md b/README.md
index 86442a49fb..7370302fa5 100644
--- a/README.md
+++ b/README.md
@@ -53,10 +53,10 @@ Want to see what we are working on? Check out the [roadmap tag](https://github.c
 
 InvenTree is designed to be **extensible**, and provides multiple options for **integration** with external applications or addition of custom plugins:
 
-* [InvenTree API](https://docs.inventree.org/en/latest/api/api/)
-* [Python module](https://docs.inventree.org/en/latest/api/python/python/)
-* [Plugin interface](https://docs.inventree.org/en/latest/extend/plugins)
-* [Third party tools](https://docs.inventree.org/en/latest/extend/integrate)
+* [InvenTree API](https://docs.inventree.org/en/latest/api/)
+* [Python module](https://docs.inventree.org/en/latest/api/python/)
+* [Plugin interface](https://docs.inventree.org/en/latest/plugins/)
+* [Third party tools](https://docs.inventree.org/en/latest/plugins/integrate/)
 
 <!-- TechStack -->
 ### :space_invader: Tech Stack
@@ -138,10 +138,17 @@ InvenTree is supported by a [companion mobile app](https://docs.inventree.org/ap
     <a href="https://apps.apple.com/au/app/inventree/id1581731101#?platform=iphone">Apple App Store</a>
 </h4></div>
 
+<!-- Security -->
+## :lock: Code of Conduct & Security Policy
+
+The InvenTree project team is committed to providing a safe and welcoming environment for all users. Please read our [Code of Conduct](CODE_OF_CONDUCT.md) for more information.
+
+InvenTree is following industry best practices for security. Our security policy is included [in this repo](SECURITY.md). We provide dedicated security pages on [our documentation site](https://docs.inventree.org/en/latest/security/).
+
 <!-- Contributing -->
 ## :wave: Contributing
 
-Contributions are welcomed and encouraged. Please help to make this project even better! Refer to the [contribution page](CONTRIBUTING.md).
+Contributions are welcomed and encouraged. Please help to make this project even better! Refer to the [contribution page](https://docs.inventree.org/en/latest/develop/contributing/).
 
 <!-- Translation -->
 ## :scroll: Translation
diff --git a/SECURITY.md b/SECURITY.md
index 6054604914..c14a52c147 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,7 +1,9 @@
 # Security Policy
 
 The InvenTree team take all security vulnerabilities seriously. Thank you for improving the security of our open source software.
+
 We appreciate your efforts and responsible disclosure and will make every effort to acknowledge your contributions.
+The general project security policies and processes are documented in [our documentation](https://docs.inventree.org/en/stable/security/).
 
 ## Reporting a Vulnerability
 
@@ -11,7 +13,13 @@ Please report security vulnerabilities by emailing the InvenTree team at:
 security@inventree.org
 ```
 
-Someone from the InvenTree development team will acknowledge your email as soon as possible, and indicate the next steps in handling your security report.
+Someone from the InvenTree development team will acknowledge your email as soon as possible (normally within a week), and indicate the next steps in handling your security report.
 
 
 The team will endeavour to keep you informed of the progress towards a fix for the issue, and subsequent release to the stable and development code branches. Where possible, the issue will be resolved within 90 days of reporting.
+
+### Public Disclosure
+
+Using GitHub's security advisory system, we will publish a public disclosure of the issue once it has been acknowledged, reproduced and resolved.
+We support assigning CVEs to security issues where appropriate.
+The project can be identified by the CPE code ``cpe:2.3:a:inventree_project:inventree:``.
diff --git a/docs/docs/security.md b/docs/docs/security.md
index c5ca4b1eb1..d5a34403f5 100644
--- a/docs/docs/security.md
+++ b/docs/docs/security.md
@@ -1,6 +1,9 @@
 
 The InvenTree project is committed to providing a secure and safe environment for all users. We know that many of our users rely on InvenTree to manage the inventory and manufacturing for their small and mid-size businesses, and we take that responsibility seriously.
 
+!!! tip "This page covers the InvenTree project"
+    This page covers the InvenTree project as a whole. Specific security measures for deploying your own instance of InvenTree can be found on the [Threat Model](./concepts/threat_model.md) page.
+
 To that end, we have implemented a number of security measures over the years, which we will outline in this document.
 
 ## Organisational measures
@@ -10,8 +13,12 @@ Read the Project [Governance](./project/governance.md) document for more informa
 
 InvenTree is open-source, and we welcome contributions from the community. However, all contributions are reviewed and scrutinised before being merged into the codebase.
 
-We provide a written [Security Policy]({{ sourcefile("SECURITY.md") }}) in our main repo to ensure that all security issues are handled in a timely manner.
+### Security Policy
 
+The official [Security Policy]({{ sourcefile("SECURITY.md") }}) is available in the code repository.
+We provide this document in our main repo to increase discoverabiltity to ensure that all security issues are handled in a timely manner.
+
+### Past Reports
 If we become aware of a security issue, we will take immediate action to address the issue, and will provide a public disclosure of the issue once it has been resolved. We support assigning CVEs to security issues where appropriate.  Our [past security advisories can be found here](https://github.com/inventree/InvenTree/security/advisories).
 
 ## Technical measures
@@ -54,6 +61,6 @@ We also follow OpenSSF recommendations where applicable and take part in multipl
 - OSSF Best Practices, currently at a [level of passing](https://www.bestpractices.dev/de/projects/7179)
 - OSSF Scorecard, running with each merge [check current state](https://securityscorecards.dev/viewer/?uri=github.com/inventree/InvenTree)
 
-## Security Policy
+## Hall of Fame
 
-The official [Security Policy]({{ sourcefile("SECURITY.md") }}) is available in the code repository.
+We are grateful for all reports. Confirmed reports can be rewarded with a mention in the Hall of Fame below if the reporter requests it. We are also happy to provide a CVE if applicable.