docs: misc improvements (#5092)

* docs: misc improvements

* docs: misc improvements

SECURITY.md

@@ -7,11 +7,9 @@ decisions are made with security being the priority and we always aim to impleme
 
 ## Coordinated vulnerability disclosure
 
-__Authelia__ follows the
+__Authelia__ follows the [coordinated vulnerability disclosure] model when dealing with security vulnerabilities. This
-[coordinated vulnerability disclosure](https://en.wikipedia.org/wiki/Coordinated_vulnerability_disclosure) model when
+was previously known as responsible disclosure. We strongly urge anyone reporting vulnerabilities to __Authelia__ or any
-dealing with security vulnerabilities. This was previously known as responsible disclosure. We strongly urge anyone
+other project to follow this model as it is considered as a best practice by many in the security industry.
-reporting vulnerabilities to __Authelia__ or any other project to follow this model as it is considered as a best
-practice by many in the security industry.
 
 If you believe you have identified a security vulnerability or security related bug with __Authelia__ please make every
 effort to contact us privately using one of the [contact options](#contact-options) below. Please do not open an issue,
@@ -21,8 +19,8 @@ Using this process helps ensure that users affected have an avenue to fixing the
 made public as possible. This mitigates the increasing the attack surface (via improving attacker knowledge) for
 diligent administrators simply via the act of disclosing the security issue.
 
-For more information about [security](https://www.authelia.com/information/security/) related matters, please read
+For more information about [security](https://www.authelia.com/security/) related matters, please read
-[the documentation](https://www.authelia.com/information/security/).
+[the documentation](https://www.authelia.com/security/).
 
 ## Contact Options
 
@@ -39,19 +37,19 @@ for users who have a GitHub account.
 Users can utilize the [security@authelia.com](mailto:security@authelia.com) email address to privately report a
 vulnerability. This is an easy method of users who do not have a GitHub account.
 
-This email address is only accessible by key members of the team for the purpose of disclosing security vulnerabilities
+This email address is only accessible by members of the [core team] for the purpose of disclosing security
-and issues within the __Authelia__ code base.
+vulnerabilities and issues within the __Authelia__ code base.
 
 ### Chat
 
 If you wish to chat directly instead of sending an email please use either [Matrix](README.md#matrix) or
-[Discord](README.md#discord) to direct / private message one of the core team members.
+[Discord](README.md#discord) to direct / private message one of the [core team] members.
 
 Please avoid this method unless absolutely necessary. We generally prefer that users use either the
 [GitHub Security](#github-security) or [Email](#email) option rather than this option as it both allows multiple team
-members to deal with the report and prevents mistakes when contacting a core team member.
+members to deal with the report and prevents mistakes when contacting a [core team] member.
 
-The core team members are identified in [Matrix](README.md#matrix) as room admins, and in [Discord](README.md#discord)
+The [core team] members are identified in [Matrix](README.md#matrix) as room admins, and in [Discord](README.md#discord)
 with the `Core Team` role.
 
 ## Process
@@ -80,19 +78,7 @@ Users who report bugs will at their discretion (i.e. they do not have to be if t
 credited for the discovery. Both in the [security advisory] and in our [all contributors](README.md#contribute)
 documentation.
 
-## Help wanted
+[coordinated vulnerability disclosure]: https://en.wikipedia.org/wiki/Coordinated_vulnerability_disclosure
-
-We are actively looking for sponsorship to obtain security audits to comprehensively ensure the security of _Authelia_.
-As security is really important to us we see this as one of the main financial priorities.
-
-We believe that we should obtain the following categories of security audits:
-
-* Code Security Audit / Analysis
-* Penetration Testing
-
-If you know of a company which either performs these kinds of audits and would be willing to sponsor the audit in some
-way such as doing it pro bono or at a discounted rate, or wants to help improve _Authelia_ in a meaningful way and is
-willing to make a financial contribution towards this then please feel free to contact us.
-
 [security advisory]: https://github.com/authelia/authelia/security/advisories
 [report a vulnerability]: https://github.com/authelia/authelia/security/advisories/new
+[core team]: https://www.authelia.com/information/about/#core-team

docs/content/en/contributing/development/build-and-test.md

@@ -99,17 +99,40 @@ The suite will be spawned, tests will be run and then the suite will be torn dow
 ### Binary
 
 If you want to manually build the binary from source you will require the open source software described in the
-[Development Environment](./environment.md#setup) documentation.
+[Development Environment](./environment.md#setup) documentation. Then you can follow the below steps on Linux (you may
+have to adapt them on other systems).
 
-Then the commands required are as follows:
+Clone the Repository:
 
 ```bash
 git clone https://github.com/authelia/authelia.git
-cd authelia\web
+```
-pnpm install
+
-pnpm build
+Download the Dependencies:
+
+```bash
+cd authelia && go mod download
+cd web && pnpm install
 cd ..
-go mod download
+```
+
+Build the Web Frontend:
+
+```bash
+cd web && pnpm build
+cd ..
+```
+
+Build the Binary (with debug symbols):
+
+```bash
+CGO_ENABLED=1 CGO_CPPFLAGS="-D_FORTIFY_SOURCE=2 -fstack-protector-strong" CGO_LDFLAGS="-Wl,-z,relro,-z,now" \
+go build -ldflags "-linkmode=external" -trimpath -buildmode=pie -o authelia ./cmd/authelia
+```
+
+Build the Binary (without debug symbols):
+
+```bash
 CGO_ENABLED=1 CGO_CPPFLAGS="-D_FORTIFY_SOURCE=2 -fstack-protector-strong" CGO_LDFLAGS="-Wl,-z,relro,-z,now" \
 go build -ldflags "-linkmode=external -s -w" -trimpath -buildmode=pie -o authelia ./cmd/authelia
 ```

docs/content/en/overview/security/introduction.md

@@ -15,12 +15,22 @@ aliases:
 ---
 
 The __Authelia__ team takes security very seriously. Because __Authelia__ is intended as a security product a lot of
-decisions are made with security being the priority. This section discusses these decisions as well as considerations
+decisions are made with security being the priority and we always aim to implement security by design.
-users should make when implementing __Authelia__.
 
 ## Coordinated vulnerability disclosure
 
-__Authelia__ follows the [coordinated vulnerability disclosure](https://en.wikipedia.org/wiki/Coordinated_vulnerability_disclosure)
+__Authelia__ follows the [coordinated vulnerability disclosure] model when dealing with security vulnerabilities. This
-model when dealing with security vulnerabilities. This was previously known as responsible disclosure. We strongly
+was previously known as responsible disclosure. We strongly urge anyone reporting vulnerabilities to __Authelia__ or any
-urge anyone reporting vulnerabilities to __Authelia__ or any other project to follow this model as it is considered
+other project to follow this model as it is considered as a best practice by many in the security industry.
-as a best practice by many in the security industry.
+
+If you believe you have identified a security vulnerability or security related bug with __Authelia__ please make every
+effort to contact us privately using one of the [contact options](../../policies/security.md#contact-options) below.
+Please do not open an issue, do not notify us in public, and do not disclose this issue to third parties.
+
+Using this process helps ensure that users affected have an avenue to fixing the issue as close to the issue being
+made public as possible. This mitigates the increasing the attack surface (via improving attacker knowledge) for
+diligent administrators simply via the act of disclosing the security issue.
+
+## Policy
+
+Please view our [security policy](../../policies/security.md) for more information.

docs/content/en/policies/security.md

@@ -15,11 +15,9 @@ decisions are made with security being the priority and we always aim to impleme
 
 ## Coordinated vulnerability disclosure
 
-__Authelia__ follows the
+__Authelia__ follows the [coordinated vulnerability disclosure] model when dealing with security vulnerabilities. This
-[coordinated vulnerability disclosure](https://en.wikipedia.org/wiki/Coordinated_vulnerability_disclosure) model when
+was previously known as responsible disclosure. We strongly urge anyone reporting vulnerabilities to __Authelia__ or any
-dealing with security vulnerabilities. This was previously known as responsible disclosure. We strongly urge anyone
+other project to follow this model as it is considered as a best practice by many in the security industry.
-reporting vulnerabilities to __Authelia__ or any other project to follow this model as it is considered as a best
-practice by many in the security industry.
 
 If you believe you have identified a security vulnerability or security related bug with __Authelia__ please make every
 effort to contact us privately using one of the [contact options](#contact-options) below. Please do not open an issue,
@@ -44,19 +42,19 @@ for users who have a GitHub account.
 Users can utilize the [security@authelia.com](mailto:security@authelia.com) email address to privately report a
 vulnerability. This is an easy method of users who do not have a GitHub account.
 
-This email address is only accessible by key members of the team for the purpose of disclosing security vulnerabilities
+This email address is only accessible by members of the [core team] for the purpose of disclosing security
-and issues within the __Authelia__ code base.
+vulnerabilities and issues within the __Authelia__ code base.
 
 ### Chat
 
 If you wish to chat directly instead of sending an email please use one of the
-[chat options](../information/contact.md#chat) to direct / private message one of the core team members.
+[chat options](../information/contact.md#chat) to direct / private message one of the [core team] members.
 
 Please avoid this method unless absolutely necessary. We generally prefer that users use either the
 [GitHub Security](#github-security) or [Email](#email) option rather than this option as it both allows multiple team
-members to deal with the report and prevents mistakes when contacting a core team member.
+members to deal with the report and prevents mistakes when contacting a [core team] member.
 
-The core team members are identified in [Matrix](../information/contact.md#matrix) as room admins, and in
+The [core team] members are identified in [Matrix](../information/contact.md#matrix) as room admins, and in
 [Discord](../information/contact.md#discord) with the `Core Team` role.
 
 ## Process
@@ -83,7 +81,7 @@ The core team members are identified in [Matrix](../information/contact.md#matri
 
 Users who report bugs will at their discretion (i.e. they do not have to be if they wish to remain anonymous) be
 credited for the discovery. Both in the [security advisory] and in our
-[all contributors](https://github.com/authelia/authelia/blob/master/README.md#contribute) documentation.
+[all contributors] documentation.
 
 ## Help wanted
 
@@ -99,5 +97,8 @@ If you know of a company which either performs these kinds of audits and would b
 way such as doing it pro bono or at a discounted rate, or wants to help improve _Authelia_ in a meaningful way and is
 willing to make a financial contribution towards this then please feel free to contact us.
 
+[coordinated vulnerability disclosure]: https://en.wikipedia.org/wiki/Coordinated_vulnerability_disclosure
 [security advisory]: https://github.com/authelia/authelia/security/advisories
 [report a vulnerability]: https://github.com/authelia/authelia/security/advisories/new
+[core team]: ../information/about.md#core-team
+[all contributors]: https://github.com/authelia/authelia/blob/master/README.md#contribute

docs/content/en/policies/versioning.md

@@ -22,6 +22,17 @@ prevent automatic upgrade of the `major` version.
 We generally do not recommend automated upgrades of critical systems but instead recommend ensuring you are notified an
 upgrade exists.
 
+## Supported Versions
+
+The following information is indicative of our support policy:
+
+- We provide support to user questions for 3 `minor` versions at minimum
+- We provide bug fixes (as a `patch`) to the latest `minor` version
+- We provide vulnerability fixes:
+  - As workarounds in the [security advisory](https://github.com/authelia/authelia/security/advisories) (if possible)
+  - As patches in the [security advisory](https://github.com/authelia/authelia/security/advisories)
+  - To the last 3 `minor` versions upon request
+
 ## Major Version Zero
 
 A major version of `v0.x.x` indicates as per the [Semantic Versioning 2.0.0](https://semver.org/spec/v2.0.0.html) policy
@@ -35,6 +46,7 @@ It is important to note that each component has its own version, for example the
 v4.40.0 but another component such as the [Helm Chart](https://charts.authelia.com) version may be v0.9.0.
 
 This means that a breaking change may occur to one but not the other as these components do not share a version.
+
 ## Exceptions
 
 There are exceptions to this versioning policy.