OSC · matt257 · Jul 15, 2024 · Jul 15, 2024 · Jul 15, 2024 · johrstrom
diff --git a/source/authentication/overview.rst b/source/authentication/overview.rst
@@ -1,7 +1,7 @@
 .. _authentication-overview:
 
-Overview
-========
+Authentication Overview
+=======================
 
 Configuring Open OnDemand to work with an Apache authentication module can be
 broken down into three procedures:

diff --git a/source/index.rst b/source/index.rst
@@ -81,10 +81,10 @@ These are institutions who were early adopters or provided HPC resources for dev
 
   architecture
   reference
+  security
   release-notes
   version-policy
   glossary
-  issues/overview
 
 .. _website: https://openondemand.org/
 .. _bowdoin: https://www.bowdoin.edu/it/resources/high-performance-computing.html

diff --git a/source/issues/overview.rst b/source/issues/overview.rst
diff --git a/source/security.rst b/source/security.rst
@@ -0,0 +1,38 @@
+.. _security:
+
+Security
+=================
+
+Introduction
+------------
+
+This document provides an overview of the security framework implemented in Open OnDemand, detailing security features, general policies, and procedures.
+
+.. toctree::
+   :maxdepth: 2
+   :caption: Security Topics
+
+   security/vulnerability-management
+   authentication/overview 
+   how-tos/monitoring/logging
+   customizations
+
+Security Features
+-----------------
+
+- **Authentication**: Details the authentication mechanisms supported by Open OnDemand. For more information, see :ref:`more about our authentication process <authentication-overview>`.
+
+- **Authorization**: Describes the authorization model, including the management and enforcement of permissions within Open OnDemand.
+
+- **Data Protection**: Outlines measures for protecting sensitive data within the platform, including encryption protocols for data in transit and at rest.
+
+- **Monitoring and Logging**: Discusses the extensive logging and monitoring capabilities of Open OnDemand, crucial for security auditing and incident response. For more information, see :ref:`logging`.
+
+- **Vulnerability Management**: Provides details on how vulnerabilities are identified, reported, and managed within the platform. See :ref:`vulnerability-management`.
+
+- **Security Audits**: The Open OnDemand core development team has engaged with Trusted CI, the NSF Cybersecurity Center of Excellence, for vulnerability assessments and security policy development. The latest report from these engagements can be accessed `here <https://openondemand.org/sites/default/files/documents/Trusted%20CI%20Open%20OnDemand%20Engagement%20Final%20Report%20-%20REDACTED%20FOR%20PUBLIC%20RELEASE%20210712_0.pdf>`_.
+
+Conclusion
+----------
+
+Maintaining robust security is pivotal for the operation of Open OnDemand. Ongoing efforts are dedicated to strengthening the security measures in place. Users and administrators are encouraged to adhere to the outlined best practices and security guidelines to ensure a secure operational environment.
diff --git a/source/security/vulnerability-management.rst b/source/security/vulnerability-management.rst
@@ -0,0 +1,42 @@
+.. _vulnerability-management:
+
+Vulnerability Management
+========================
+
+Introduction
+------------
+
+Vulnerability management is a critical component of the security strategy for Open OnDemand. This document outlines the procedures for reporting and managing vulnerabilities using GitHub, ensuring the platform remains secure and robust against potential threats.
+
+Reporting a Vulnerability
+-------------------------
+
+If you have security concerns or think you have found a vulnerability, please submit a private report by visiting the 'Security' section of our GitHub located at [GitHub Open OnDemand Security](https://github.com/OSC/ondemand/security/) and clicking 'Report a vulnerability'.
+
+For direct inquiries or issues in submitting a report, contact the core project team via email at [email protected].
+
+Disclosure Policy
+-----------------
+
+- Upon reporting, you will receive a response within hours, acknowledging the receipt of the report.
+- A primary handler from the team will be assigned to coordinate the fix and release process:
+  - Confirm the problem and determine the affected versions (1-2 days).
+  - Audit code to find any potential similar problems (1-2 days).
+  - Prepare fixes for all releases still under maintenance and release as soon as possible (2-7 days).
+
+Comments on Policy
+------------------
+
+Suggestions to improve this process can be made via submitting a ticket, opening a Discourse topic, or a pull request.
+
+Security Audits
+---------------
+
+Open OnDemand has been audited several times by Trusted CI, the NSF Cybersecurity Center of Excellence. These audits have helped shape the security landscape of the platform and contribute to its ongoing security enhancements.
+
+Conclusion
+----------
+
+Effective vulnerability management is crucial for maintaining the security and integrity of Open OnDemand. Users and contributors play a vital role in this process by reporting potential security vulnerabilities through GitHub, ensuring the platform's continued safety.
+
+.. note:: For details on the specific vulnerability management steps, please see the GitHub repository guidelines or the security policies linked above.