docs: openssf best practices (#5079)

* docs: openssf best practices * docs: update csp * docs: update sponsors and governance
2023-03-19 17:29:12 +11:00 · 2023-03-19 17:29:12 +11:00 · a2b3cbd794
parent bfb45c57b8
commit a2b3cbd794
20 changed files with 525 additions and 105 deletions
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -18,7 +18,9 @@ repository (but search first in case a similar issue already exists).
 If you would like to fix a bug or implement a feature, please fork the repository and create a Pull Request.
 More information on getting set up locally can be found in the
-[Development Contribution](https://www.authelia.com/contributing/development/introduction/) documentation.
+[Development Contribution](https://www.authelia.com/contributing/development/introduction/) documentation, in addition
 the [Contribution Guidelines](https://www.authelia.com/contributing/guidelines/introduction/) documentation includes
 several contribution guidelines.
 Before you start any Pull Request, it's recommended that you create an issue to discuss first if you have any doubts
 about requirement or implementation. That way you can be sure that the maintainer(s) agree on what to change and how,
--- a/README.md
+++ b/README.md
@ -4,9 +4,10 @@
  [![Build](https://img.shields.io/buildkite/d6543d3ece3433f46dbe5fd9fcfaf1f68a6dbc48eb1048bc22/master?logo=buildkite&style=flat-square&color=brightgreen)](https://buildkite.com/authelia/authelia)
  [![Go Report Card](https://goreportcard.com/badge/github.com/authelia/authelia/v4?logo=go&style=flat-square)](https://goreportcard.com/report/github.com/authelia/authelia/v4)
  [![GitHub Release](https://img.shields.io/github/release/authelia/authelia.svg?logo=github&style=flat-square&color=blue)](https://github.com/authelia/authelia/releases)
  [![Docker Tag](https://img.shields.io/docker/v/authelia/authelia/latest?logo=docker&style=flat-square&color=blue&sort=semver)](https://hub.docker.com/r/authelia/authelia/tags)
  [![Docker Size](https://img.shields.io/docker/image-size/authelia/authelia/latest?logo=docker&style=flat-square&color=blue&sort=semver)](https://hub.docker.com/r/authelia/authelia/tags)
-  [![GitHub Release](https://img.shields.io/github/release/authelia/authelia.svg?logo=github&style=flat-square&color=blue)](https://github.com/authelia/authelia/releases)
+  ![Docker Pulls](https://img.shields.io/docker/pulls/authelia/authelia?label=pulls&style=flat-square)
  [![AUR source version](https://img.shields.io/aur/version/authelia?logo=arch-linux&label=authelia&style=flat-square&color=blue)](https://aur.archlinux.org/packages/authelia/)
  [![AUR binary version](https://img.shields.io/aur/version/authelia-bin?logo=arch-linux&label=authelia-bin&style=flat-square&color=blue)](https://aur.archlinux.org/packages/authelia-bin/)
  [![AUR development version](https://img.shields.io/aur/version/authelia-git?logo=arch-linux&label=authelia-git&style=flat-square&color=blue)](https://aur.archlinux.org/packages/authelia-git/)
@ -15,6 +16,8 @@
  [![Discord](https://img.shields.io/discord/707844280412012608?label=discord&logo=discord&style=flat-square&color=blue)](https://discord.authelia.com)
  [![Matrix](https://img.shields.io/matrix/authelia-support:matrix.org?label=matrix&logo=matrix&style=flat-square&color=blue)](https://matrix.to/#/#support:authelia.com)
  [![OpenSSF Best Practices](https://bestpractices.coreinfrastructure.org/projects/7128/badge?label=matrix&logo=matrix&style=flat-square&color=blue)](https://bestpractices.coreinfrastructure.org/projects/7128)
 **Authelia** is an open-source authentication and authorization server providing two-factor authentication and single
 sign-on (SSO) for your applications via a web portal. It acts as a companion for [reverse proxies](#proxy-support) by
 allowing, denying, or redirecting requests.
--- a/SECURITY.md
+++ b/SECURITY.md
@ -2,46 +2,92 @@
 ## Prologue
-Authelia takes security very seriously. We follow the rule of
+The __Authelia__ team takes security very seriously. Because __Authelia__ is intended as a security product a lot of
-[responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure), and we urge our community to do so as
+decisions are made with security being the priority and we always aim to implement security by design.
 well instead of making the vulnerability public. This allows time for the security issue to be patched quickly.
-If you discover a vulnerability in Authelia, please first contact one of the maintainers privately  as described in the
+## Coordinated vulnerability disclosure
 [contact options](#contact-options) below.
-We urge you not to disclose the bug publicly at least until we've had a
+__Authelia__ follows the
-reasonable chance to fix it, and to clearly communicate any public disclosure timeline in your initial contact with us.
+[coordinated vulnerability disclosure](https://en.wikipedia.org/wiki/Coordinated_vulnerability_disclosure) model when
-If you do not have a particular public disclosure timeline, we will clearly communicate ours as we publish security
+dealing with security vulnerabilities. This was previously known as responsible disclosure. We strongly urge anyone
-advisories.
+reporting vulnerabilities to __Authelia__ or any other project to follow this model as it is considered as a best
 practice by many in the security industry.
 If you believe you have identified a security vulnerability or security related bug with __Authelia__ please make every
 effort to contact us privately using one of the [contact options](#contact-options) below. Please do not open an issue,
 do not notify us in public, and do not disclose this issue to third parties.
 Using this process helps ensure that users affected have an avenue to fixing the issue as close to the issue being
 made public as possible. This mitigates the increasing the attack surface (via improving attacker knowledge) for
 diligent administrators simply via the act of disclosing the security issue.
 For more information about [security](https://www.authelia.com/information/security/) related matters, please read
 [the documentation](https://www.authelia.com/information/security/).
 ## Contact Options
-Several [contact options](README.md#contact-options) exist, it's important to make sure you contact the maintainers
+Several contact options exist however it's important you specifically use a security contact method when reporting a
-privately which is described in each available contact method. The methods include our [security email](README.md#security),
+security vulnerability or security related bug. These methods are clearly documented below.
 [Matrix](README.md#matrix), and [Discord](README.md#discord).
-## Credit
+### GitHub Security
-Users who report bugs will optionally be credited for the discovery. Both in the [security advisory] and in our
+Users can utilize GitHub's security vulnerability system to privately [report a vulnerability]. This is an easy method
-[all contributors](README.md#contribute) configuration/documentation.
+for users who have a GitHub account.
 ### Email
 Users can utilize the [security@authelia.com](mailto:security@authelia.com) email address to privately report a
 vulnerability. This is an easy method of users who do not have a GitHub account.
 This email address is only accessible by key members of the team for the purpose of disclosing security vulnerabilities
 and issues within the __Authelia__ code base.
 ### Chat
 If you wish to chat directly instead of sending an email please use either [Matrix](README.md#matrix) or
 [Discord](README.md#discord) to direct / private message one of the core team members.
 Please avoid this method unless absolutely necessary. We generally prefer that users use either the
 [GitHub Security](#github-security) or [Email](#email) option rather than this option as it both allows multiple team
 members to deal with the report and prevents mistakes when contacting a core team member.
 The core team members are identified in [Matrix](README.md#matrix) as room admins, and in [Discord](README.md#discord)
 with the `Core Team` role.
 ## Process
-1. User privately reports a potential vulnerability.
+1. The user privately reports a potential vulnerability.
-2. The core team reviews the report and ascertain if additional information is required.
+2. The report is acknowledged as received.
-3. The core team reproduces the bug.
+3. The report is reviewed to ascertain if additional information is required. If it is required:
-4. The bug is patched, and if possible the user reporting te bug is given access to a fixed version or git patch.
+   1. The user is informed that the additional information is required.
-5. The fix is confirmed to resolve the vulnerability.
+   2. The user privately adds the additional information.
-6. The fix is released.
+   3. The process begins at step 3 again, proceeding to step 4 if the additional information provided is sufficient.
-7. The [security advisory] is published sometime after users have had a chance to update.
+4. The vulnerability is reproduced.
 5. The vulnerability is patched, and if possible the user reporting the bug is given access to a fixed binary, docker
   image, and git patch.
 6. The patch is confirmed to resolve the vulnerability.
 7. The fix is released.
 8. The [security advisory] is published sometime after users have had a chance to update.
-## Help Wanted
+## Credit
-We are actively looking for sponsorship to obtain either a code security audit, penetration testing, or other audits
+Users who report bugs will at their discretion (i.e. they do not have to be if they wish to remain anonymous) be
-related to improving the security of Authelia. If your company or you personally are willing to offer discounts, pro
+credited for the discovery. Both in the [security advisory] and in our [all contributors](README.md#contribute)
-bono, or funding towards services like these please feel free to contact us on *any* of the methods above.
+documentation.
 ## Help wanted
 We are actively looking for sponsorship to obtain security audits to comprehensively ensure the security of _Authelia_.
 As security is really important to us we see this as one of the main financial priorities.
 We believe that we should obtain the following categories of security audits:
 * Code Security Audit / Analysis
 * Penetration Testing
 If you know of a company which either performs these kinds of audits and would be willing to sponsor the audit in some
 way such as doing it pro bono or at a discounted rate, or wants to help improve _Authelia_ in a meaningful way and is
 willing to make a financial contribution towards this then please feel free to contact us.
 [security advisory]: https://github.com/authelia/authelia/security/advisories
 [report a vulnerability]: https://github.com/authelia/authelia/security/advisories/new
--- a/docs/config/_default/menus/menus.en.toml
+++ b/docs/config/_default/menus/menus.en.toml
@ -62,7 +62,12 @@
  url = "/code-of-conduct"
  weight = 30
 [[footer]]
  name = "About"
  url = "/information/about"
  weight = 40
 [[footer]]
  name = "Contact"
  url = "/information/contact"
-  weight = 40
+  weight = 50
--- a/docs/content/en/contributing/development/build-and-test.md
+++ b/docs/content/en/contributing/development/build-and-test.md
@ -94,6 +94,26 @@ authelia-scripts suites test Standalone
 The suite will be spawned, tests will be run and then the suite will be torn down automatically.
 ## Manually Building
 ### Binary
 If you want to manually build the binary from source you will require the open source software described in the
 [Development Environment](./environment.md#setup) documentation.
 Then the commands required are as follows:
 ```bash
 git clone https://github.com/authelia/authelia.git
 cd authelia\web
 pnpm install
 pnpm build
 cd ..
 go mod download
 CGO_ENABLED=1 CGO_CPPFLAGS="-D_FORTIFY_SOURCE=2 -fstack-protector-strong" CGO_LDFLAGS="-Wl,-z,relro,-z,now" \
 go build -ldflags "-linkmode=external -s -w" -trimpath -buildmode=pie -o authelia ./cmd/authelia
 ```
 [suites]: ./integration-suites.md
 [React]: https://reactjs.org/
 [go]: https://go.dev/dl/
--- a/docs/content/en/contributing/guidelines/introduction.md
+++ b/docs/content/en/contributing/guidelines/introduction.md
@ -19,3 +19,20 @@ those which are automated and those which are not in this section.
 While it's expected that people aim to follow all of these guidelines we understand that there are logical exceptions to
 all guidelines and if it makes sense we're likely to agree with you. So if you find a situation where it doesn't make
 sense to follow one just let us know your reasoning when you make a PR if it's not obvious.
 ## General Guidelines
 Some general guidelines include:
 - Testing:
  - While we aim for 100% coverage on changes, we do not enforce this where it doesn't make practical sense:
    - A test which just marks a line as tested is not necessarily an effectual test
    - Sometimes there is limited ways in which tests can be performed and the limitation makes the test ineffectual
  - Tests should be named to reflect what they testing for and which part of the code they are testing
  - It's strongly encouraged for bug fixes that contributors create a test that fails prior to fixing the bug and passes
    after fixing the bug and that this test is part of the contribution
  - It's strongly encouraged for features that contributors create have as much testing as is reasonable
 - It's recommended people wishing to contribute discuss their intended changes prior to contributing
  - This helps avoid people doubling up on contributions
  - This helps avoid conflicts between contributions
  - This helps avoid contributors wasting their percussion time in a contribution that may not be accepted
--- a/docs/content/en/contributing/prologue/financial.md
+++ b/docs/content/en/contributing/prologue/financial.md
@ -44,40 +44,4 @@ We are currently directly looking for someone to sponsor:
 * [Security Audit](../../policies/security.md#help-wanted)
-### Balto
+To see a list of our sponsors pleaase see the [sponsors section](../../information/about.md#sponsors) on the about page.
 Our [apt repository](https://apt.authelia.com) is hosted thanks to [Balto](https://www.getbalto.com/?from=Authelia).
 {{< figure src="/images/logos/balto.svg" alt="Balto" width="193" style="padding-right: 10px"  ignoreStaticImages="false" >}}
 ### Buildkite
 Our [continuous integration and continuous deployment pipelines](https://buildkite.com/authelia/?from=Authelia) are hosted by
 [Buildkite](https://buildkite.com/features?from=Authelia).
 ### Crowdin
 Our [localization platform](https://translate.authelia.com) is hosted by [Crowdin](https://crowdin.com/?from=Authelia).
 ### JetBrains
 Our development IDE's are provided by [JetBrains](https://www.jetbrains.com/?from=Authelia).
 {{< figure src="/images/logos/jetbrains.svg" alt="JetBrains" width="50" style="padding-right: 10px" ignoreStaticImages="false" >}}
 ### Microsoft
 Our pipeline agents which we rely on for productivity are hosted on [Azure](https://azure.microsoft.com/?from=Authelia)
 and our [git repositories](https://github.com/authelia) are hosted on [GitHub](https://github.com/?from=Authela)
 which are both [Microsoft](https://www.microsoft.com/?from=Authelia) products.
 {{< figure src="/images/logos/microsoft.svg" alt="Microsoft" width="234.45" style="padding-right: 10px" ignoreStaticImages="false" >}}
 {{< figure src="/images/logos/azure.svg" alt="Azure" width="173.55" style="padding-right: 10px" ignoreStaticImages="false" >}}
 ### Netlify
 Our [website and documentation](https://www.authelia.com) are built and hosted by
 [Netlify](https://www.netlify.com/?from=Authelia).
 [Open Collective]: https://opencollective.com/authelia-sponsors
--- a/docs/content/en/contributors/amir-zarrinkafsh/_index.md
+++ b/docs/content/en/contributors/amir-zarrinkafsh/_index.md
@ -0,0 +1,8 @@
 ---
 title: "Amir Zarrinkafsh"
 date: 2022-06-15T17:51:47+10:00
 draft: false
 images: []
 ---
 {{< profile-details name="amir-zarrinkafsh" >}}
--- a/docs/content/en/contributors/clement-michaud/_index.md
+++ b/docs/content/en/contributors/clement-michaud/_index.md
@ -0,0 +1,8 @@
 ---
 title: "Clément Michaud"
 date: 2022-06-15T17:51:47+10:00
 draft: false
 images: []
 ---
 {{< profile-details name="clement-michaud" >}}
--- a/docs/content/en/contributors/james-elliott/_index.md
+++ b/docs/content/en/contributors/james-elliott/_index.md
@ -1,15 +1,8 @@
 ---
 title: "James Elliott"
 description: "Authelia Core Team"
 date: 2022-06-15T17:51:47+10:00
 draft: false
 images: []
 ---
-*__Authelia Core Team Member.__*
+{{< profile-details name="james-elliott" >}}
 __GitHub:__ [james-d-elliott](https://github.com/james-d-elliott)
 __Email:__ [james.elliott@authelia.com](mailto:james.elliott@authelia.com)
 __Matrix:__ [@james:authelia.com](https://matrix.to/#/@james:authelia.com) __Discord:__ [James#6549](https://discord.com/users/209869584814047232/)
--- a/docs/content/en/contributors/manuel-nunez/_index.md
+++ b/docs/content/en/contributors/manuel-nunez/_index.md
@ -0,0 +1,8 @@
 ---
 title: "Manuel Nuñez"
 date: 2022-06-15T17:51:47+10:00
 draft: false
 images: []
 ---
 {{< profile-details name="manuel-nunez" >}}
--- a/docs/content/en/information/about.md
+++ b/docs/content/en/information/about.md
@ -0,0 +1,104 @@
 ---
 title: "About"
 description: "About Authelia and the Authelia Team"
 date: 2022-06-15T17:51:47+10:00
 draft: false
 images: []
 aliases:
 - /about
 - /about.html
 ---
 ## What is Authelia?
 Authelia is a project with several open source developers who contribute to the project in their free time. We are not
 a company or another type of incorporated entity, and do not have any monetization model. Individuals and Organizations
 are free to contribute [financially](../contributing/prologue/financial.md) or with their time to the
 [documentation](../contributing/prologue/documentation-contributions.md) or
 [code base](../contributing/development/introduction.md).
 ## Teams
 The following section describes the various teams within the Authelia project.
 ### Core Team
 {{% profile-team name="core" %}}
 ### Maintainers Team
 {{% profile-team name="maintainers" %}}
 ## Sponsors
 Authelia is sponsored by the organizations listed below. The organizations below sponsor us completely voluntarily
 and do not expect anything additional other than us mentioning them or having a code of conduct, and some do not even
 require either of those things.
 Please see the [sponsorship section](../contributing/prologue/financial.md#sponsorship) of the financial contributing
 page for more information on how to become a sponsor.
 ### Balto
 Our [apt repository](https://apt.authelia.com) is hosted thanks to [Balto](https://www.getbalto.com/?from=Authelia).
 {{< figure src="/images/logos/balto.svg" alt="Balto" width="193" style="padding-right: 10px"  ignoreStaticImages="false" >}}
 ### Buildkite
 Our [continuous integration and continuous deployment pipelines](https://buildkite.com/authelia/?from=Authelia) are hosted by
 [Buildkite](https://buildkite.com/features?from=Authelia).
 ### Crowdin
 Our [localization platform](https://translate.authelia.com) is hosted by [Crowdin](https://crowdin.com/?from=Authelia).
 ### JetBrains
 Our development IDE's are provided by [JetBrains](https://www.jetbrains.com/?from=Authelia).
 {{< figure src="/images/logos/jetbrains.svg" alt="JetBrains" width="50" style="padding-right: 10px" ignoreStaticImages="false" >}}
 ### Microsoft
 Our pipeline agents which we rely on for productivity are hosted on [Azure](https://azure.microsoft.com/?from=Authelia)
 and our [git repositories](https://github.com/authelia) are hosted on [GitHub](https://github.com/?from=Authela)
 which are both [Microsoft](https://www.microsoft.com/?from=Authelia) products.
 {{< figure src="/images/logos/microsoft.svg" alt="Microsoft" width="234.45" style="padding-right: 10px" ignoreStaticImages="false" >}}
 {{< figure src="/images/logos/azure.svg" alt="Azure" width="173.55" style="padding-right: 10px" ignoreStaticImages="false" >}}
 ### Netlify
 Our [website and documentation](https://www.authelia.com) are built and hosted by
 [Netlify](https://www.netlify.com/?from=Authelia).
 [Open Collective]: https://opencollective.com/authelia-sponsors
 ## Governance and Affiliations
 Authelia is free from any outside governance and is entirely governed as outlined on this page, in addition we do not
 have any affiliations which have ever asked this of us.
 Our affiliations with external companies will be transparently communicated in this section and the
 [sponsors](#sponsors) section.
 ## Compliance
 The following section contains various compliance related information.
 ### Key Individuals
 There is no key individual who if they were incapacitated or unavailable would prevent future operations of the project.
 All of the following areas can be reset or are otherwise accessible to all of the members of the [Core Team](#core-team):
 - Private Keys
 - Access Rights
 - Passwords
 ### Bus Factor
 The Authelia team has a bus factor of 3. Meaning that the project would stall if 3 team members were suddenly hit by a
 bus.
--- a/docs/content/en/information/contact.md
+++ b/docs/content/en/information/contact.md
@ -11,14 +11,23 @@ aliases:
 ## Security
-If you believe you have identified a security related bug with Authelia please visit the
+If you believe you have identified a security vulnerability or security related bug with __Authelia__ please view our
-[security policy](../policies/security.md) documentation.
+[security policy](../policies/security.md).
 ## Individual Team Members
 If you're interested in contacting an individual team member for any reason please see the [About](about.md)
 informational page.
 ## GitHub
 ### Discussions
-If you have a general question or want to discuss an idea that's not entirely hashed out please visit
+The [GitHub Discussions](https://github.com/authelia/authelia/discussions) forum is the correct location to discus
 anything that is not a bug or feature request such as:
 - Ideas about
 If you have a general question or want to discuss an idea that you're not entirely sure about out please visit
 [GitHub Discussions](https://github.com/authelia/authelia/discussions) and start a new discussion.
 ### Issues
@ -55,7 +64,7 @@ are bridged to the [Matrix Rooms](#matrix) with the same names providing they ex
 To contact the team for anything not security related you can utilize [team@authelia.com](mailto:team@authelia.com).
-For all security related matters over email please ensure you use [security@authelia.com](mailto:team@authelia.com).
+For all security related matters over email please ensure you use [security@authelia.com](mailto:security@authelia.com).
 [Discord]: https://discord.com/
 [Matrix]: https://matrix.org/
--- a/docs/content/en/policies/security.md
+++ b/docs/content/en/policies/security.md
@ -11,7 +11,7 @@ aliases:
 ---
 The __Authelia__ team takes security very seriously. Because __Authelia__ is intended as a security product a lot of
-decisions are made with security being the priority.
+decisions are made with security being the priority and we always aim to implement security by design.
 ## Coordinated vulnerability disclosure
@ -21,48 +21,69 @@ dealing with security vulnerabilities. This was previously known as responsible
 reporting vulnerabilities to __Authelia__ or any other project to follow this model as it is considered as a best
 practice by many in the security industry.
-If you believe you have identified a security related bug with Authelia please do not open an issue, do not notify us in
+If you believe you have identified a security vulnerability or security related bug with __Authelia__ please make every
-public, and do not disclose this issue to third parties. Please use one of the [contact options](#contact-options)
+effort to contact us privately using one of the [contact options](#contact-options) below. Please do not open an issue,
-below.
+do not notify us in public, and do not disclose this issue to third parties.
 Using this process helps ensure that users affected have an avenue to fixing the issue as close to the issue being
 made public as possible. This mitigates the increasing the attack surface (via improving attacker knowledge) for
 diligent administrators simply via the act of disclosing the security issue.
 ## Contact Options
 Several contact options exist however it's important you specifically use a security contact method when reporting a
 security vulnerability or security related bug. These methods are clearly documented below.
 ### GitHub Security
 Users can utilize GitHub's security vulnerability system to privately [report a vulnerability]. This is an easy method
 for users who have a GitHub account.
 ### Email
-Please utilize the [security@authelia.com](mailto:team@authelia.com) email address for security issues discovered. This
+Users can utilize the [security@authelia.com](mailto:security@authelia.com) email address to privately report a
-email address is only accessible by key members of the team for the purpose of disclosing security issues within the
+vulnerability. This is an easy method of users who do not have a GitHub account.
 __Authelia__ code base.
-This is the preferred method of reporting.
+This email address is only accessible by key members of the team for the purpose of disclosing security vulnerabilities
 and issues within the __Authelia__ code base.
 ### Chat
 If you wish to chat directly instead of sending an email please use one of the
-[chat options](../information/contact.md#chat) but it is vital that when you do that you only do so privately with one
+[chat options](../information/contact.md#chat) to direct / private message one of the core team members.
 of the maintainers. In order to start a private discussion you should ask to have a private discussion with a team
 member without mentioning the reason why you wish to have a private discussion so that provided the bug is confirmed we
 can coordinate the release of fixes and information responsibly.
-## Credit
+Please avoid this method unless absolutely necessary. We generally prefer that users use either the
 [GitHub Security](#github-security) or [Email](#email) option rather than this option as it both allows multiple team
 members to deal with the report and prevents mistakes when contacting a core team member.
-Users who report bugs will optionally be credited for the discovery in the
+The core team members are identified in [Matrix](../information/contact.md#matrix) as room admins, and in
-[security advisory](https://github.com/authelia/authelia/security/advisories) and/or in our
+[Discord](../information/contact.md#discord) with the `Core Team` role.
 [all contributors](https://github.com/authelia/authelia/blob/master/README.md#contribute) configuration/documentation.
 ## Process
-1. User privately reports a potential vulnerability.
+1. The user privately reports a potential vulnerability.
-2. The core team reviews the report and ascertain if additional information is required.
+2. The report is acknowledged as received.
-3. The core team reproduces the bug.
+3. The report is reviewed to ascertain if additional information is required. If it is required:
-4. The bug is patched, and if possible the user reporting te bug is given access to a fixed version or git patch.
+   1. The user is informed that the additional information is required.
-5. The fix is confirmed to resolve the vulnerability.
+   2. The user privately adds the additional information.
-6. The fix is released.
+   3. The process begins at step 3 again, proceeding to step 4 if the additional information provided is sufficient.
-7. The security advisory is published sometime after users have had a chance to update.
+4. The vulnerability is reproduced.
 5. The vulnerability is patched, and if possible the user reporting the bug is given access to a fixed binary, docker
   image, and git patch.
 6. The patch is confirmed to resolve the vulnerability.
 7. The fix is released.
 8. The [security advisory] is published sometime after users have had a chance to update.
 ## Credit
 Users who report bugs will at their discretion (i.e. they do not have to be if they wish to remain anonymous) be
 credited for the discovery. Both in the [security advisory] and in our
 [all contributors](https://github.com/authelia/authelia/blob/master/README.md#contribute) documentation.
 ## Help wanted
-We are actively looking for sponsorship to obtain security audits to comprehensively ensure the security of Authelia.
+We are actively looking for sponsorship to obtain security audits to comprehensively ensure the security of _Authelia_.
-As security is imperative to us we see this as one of the main financial priorities.
+As security is really important to us we see this as one of the main financial priorities.
 We believe that we should obtain the following categories of security audits:
@ -70,5 +91,8 @@ We believe that we should obtain the following categories of security audits:
 * Penetration Testing
 If you know of a company which either performs these kinds of audits and would be willing to sponsor the audit in some
-way such as doing it pro bono or at a discounted rate, or wants to help improve Authelia in a meaningful way and is
+way such as doing it pro bono or at a discounted rate, or wants to help improve _Authelia_ in a meaningful way and is
 willing to make a financial contribution towards this then please feel free to contact us.
 [security advisory]: https://github.com/authelia/authelia/security/advisories
 [report a vulnerability]: https://github.com/authelia/authelia/security/advisories/new
--- a/docs/data/profiles.json
+++ b/docs/data/profiles.json
@ -0,0 +1,81 @@
 {
  "people": {
    "clement-michaud": {
      "display": "Clément Michaud",
      "description": "",
      "team": "core",
      "location": "Paris",
      "github": "clems4ever",
      "email": "",
      "discord": {
        "id": "",
        "tag": ""
      },
      "matrix": ""
    },
    "amir-zarrinkafsh": {
      "display": "Amir Zarrinkafsh",
      "description": "",
      "team": "core",
      "location": "Melbourne, Australia",
      "github": "nightah",
      "email": "",
      "discord": {
        "id": "",
        "tag": ""
      },
      "matrix": ""
    },
    "james-elliott": {
      "display": "James Elliott",
      "description": "",
      "team": "core",
      "location": "Melbourne, Australia",
      "github": "james-d-elliott",
      "email": "james.elliott@authelia.com",
      "discord": {
        "id": "209869584814047232",
        "tag": "James#6549"
      },
      "matrix": "@james:authelia.com"
    },
    "manuel-nunez": {
      "display": "Manuel Nuñez",
      "description": "",
      "team": "maintainers",
      "location": "Argentina",
      "github": "mind-ar",
      "email": "",
      "discord": {
        "id": "",
        "tag": ""
      },
      "matrix": ""
    }
  },
  "teams": {
    "core": {
      "display": "Core",
      "description": "The Core Team are effectively members of the Maintainers Team with extra responsibilities.",
      "people": ["clement-michaud", "amir-zarrinkafsh", "james-elliott"],
      "responsibilities": [
        "All responsibilities of the Maintainers Team",
        "Review and merge pull requests from all other teams",
        "Handle vulnerability and security related bug reports",
        "Handle project governance unanimously",
        "Maintain the project roadmap",
        "Coordinate collaboration",
        "Maintain the continuous integration and delivery pipelines and related mechanisms"
      ]
    },
    "maintainers": {
      "display": "Maintainers",
      "description": "The Maintainer Team are traditional repository maintainers.",
      "people": ["manuel-nunez"],
      "responsibilities": [
        "Review and merge pull requests from external parties",
        "Respond to bug reports, feature requests, discussions, and support chat rooms"
      ]
    }
  }
 }
--- a/docs/layouts/index.headers
+++ b/docs/layouts/index.headers
@ -3,7 +3,7 @@
  Strict-Transport-Security: max-age=31536000; includeSubDomains
  X-Content-Type-Options: nosniff
  X-XSS-Protection: 1; mode=block
-  Content-Security-Policy: default-src 'self'; script-src 'self' https://*.netlify.app 'unsafe-inline' 'sha512-RGGByJUOP98hE4wFZM78RM/3MijWJs0Tm0DbfrFhCDCXKXfDx60fii+syp5iMs3UcNX/1H4zJNgmqSejfhHrYw==' 'sha512-+T2H7TEv2U6umnIOWYijvTIrzdCZUYhm/FZo4YYQzKAHf8NWs+38cn3t9fdz2rCm2HqHDkthZZXnY4EWPdWnMA==' 'sha512-okYuGnNmmUuCX64AD7FVra0445z43U8riOY3jZue+WZ2KeVOWLo17hE/wZXGUIJh9WBiSHZ2epTd36MMP6R66w==' 'sha512-bv9WRsSROhTW5djDurORNUCGITVeRfjDXkhqg4Ez/4vTY6FcaVBPy4MXpn4EGC3J3oZNcxpfQIScElDKlmiLhw==' 'sha512-RBYr6Ld4w1yVqaACrgrBLQfPgGhj/1jyacA74WxJ1KM6KVcSWymwrdDwb3HDcdpwiNJ5yssot1He0U9vXoQVlg==' 'sha256-aWZ3y/RxbBYKHXH0z8+8ljrHG1mSBvyzSfxSMjBSaXk=' 'sha256-vOgyKS2vkH4n5TxBJpeh9SgzrE6LVGsAeOAvEST6oCc='; style-src 'self' https://*.netlify.app 'unsafe-inline'; img-src 'self' https://*.netlify.app data:; connect-src 'self' https://*.netlify.app; font-src 'self' https://*.netlify.app; manifest-src 'self' https://*.netlify.app; object-src 'none'; frame-src https://app.netlify.com; frame-ancestors 'none'; base-uri 'none'
+  Content-Security-Policy: default-src 'self'; script-src 'self' https://*.netlify.app 'unsafe-inline' 'sha512-RGGByJUOP98hE4wFZM78RM/3MijWJs0Tm0DbfrFhCDCXKXfDx60fii+syp5iMs3UcNX/1H4zJNgmqSejfhHrYw==' 'sha512-+T2H7TEv2U6umnIOWYijvTIrzdCZUYhm/FZo4YYQzKAHf8NWs+38cn3t9fdz2rCm2HqHDkthZZXnY4EWPdWnMA==' 'sha512-okYuGnNmmUuCX64AD7FVra0445z43U8riOY3jZue+WZ2KeVOWLo17hE/wZXGUIJh9WBiSHZ2epTd36MMP6R66w==' 'sha512-bv9WRsSROhTW5djDurORNUCGITVeRfjDXkhqg4Ez/4vTY6FcaVBPy4MXpn4EGC3J3oZNcxpfQIScElDKlmiLhw==' 'sha512-RBYr6Ld4w1yVqaACrgrBLQfPgGhj/1jyacA74WxJ1KM6KVcSWymwrdDwb3HDcdpwiNJ5yssot1He0U9vXoQVlg==' 'sha256-aWZ3y/RxbBYKHXH0z8+8ljrHG1mSBvyzSfxSMjBSaXk=' 'sha256-vOgyKS2vkH4n5TxBJpeh9SgzrE6LVGsAeOAvEST6oCc='; style-src 'self' https://*.netlify.app 'unsafe-inline'; img-src 'self' https://*.netlify.app https://github.com https://avatars.githubusercontent.com data:; connect-src 'self' https://*.netlify.app; font-src 'self' https://*.netlify.app; manifest-src 'self' https://*.netlify.app; object-src 'none'; frame-src https://app.netlify.com; frame-ancestors 'none'; base-uri 'none'
  X-Frame-Options: SAMEORIGIN
  Referrer-Policy: strict-origin
  Feature-Policy: geolocation 'self'
--- a/docs/layouts/partials/content/profile-card.html
+++ b/docs/layouts/partials/content/profile-card.html
@ -0,0 +1,46 @@
 {{- $profile := index $.Site.Data.profiles.people .Profile }}
 {{- if $profile }}
 {{- $team := "" }}
 {{- if $profile.team }}
 {{- $team = index $.Site.Data.profiles.teams $profile.team }}
 {{- end }}
 <div class="card" style="border-radius: 15px;">
  <div class="card-body text-center">
    {{- if $profile.github }}
    <div class="mt-3 mb-4">
      <img src="https://github.com/{{ $profile.github }}.png"
           class="rounded-circle img-fluid" style="width: 100px;" />
    </div>
    {{- end }}
    <h4 class="mb-2">{{ $profile.display }}</h4>
    {{- if $team }}
    <p class="text-muted mb-4"><a href="{{ printf "%s#%s-team" (absURL "information/about") ($profile.team | lower) }}" target="_self">{{ $team.display }} Team</a></p>
    {{- end }}
    <div class="mb-4 pb-2">
      {{- if $profile.email }}
      <a role="button" class="btn btn-outline-primary btn-floating rounded-circle" href="mailto:{{ $profile.email }}" data-toggle="tooltip" data-placement="bottom" title="Email {{ $profile.display }} ({{ $profile.email }})">
        <i class="bi bi-envelope-fill"></i>
      </a>
      {{- end }}
      {{- if $profile.github }}
      <a role="button" class="btn btn-outline-primary btn-floating rounded-circle" href="https://github.com/{{ $profile.github }}/" target="_blank" rel="noopener" data-toggle="tooltip" data-placement="bottom" title="Checkout {{ $profile.display }} on GitHub ({{ $profile.github }})">
        <i class="bi bi-github"></i>
      </a>
      {{- end }}
      {{- if $profile.matrix }}
      <a role="button" class="btn btn-outline-primary btn-floating rounded-circle" href="https://matrix.to/#/{{ $profile.matrix }}" target="_blank" rel="noopener" data-toggle="tooltip" data-placement="bottom" title="Message {{ $profile.display }} on Matrix ({{ $profile.matrix }})">
        <i class="bi bi-chat-right-quote-fill"></i>
      </a>
      {{- end }}
      {{- if (and $profile.discord $profile.discord.id) }}
      <a role="button" class="btn btn-outline-primary btn-floating rounded-circle" href="https://discord.com/users/{{ $profile.discord.id }}" target="_blank" rel="noopener" data-toggle="tooltip" data-placement="bottom" title="Message {{ $profile.display}} on Discord ({{ $profile.discord.tag }})">
        <i class="bi bi-discord"></i>
      </a>
      {{- end }}
    </div>
    <a role="button" class="btn btn-primary btn-rounded btn-lg" href="{{ printf "%s/%s/" (absURL "contributors") .Profile }}">
    Profile Details
    </a>
  </div>
 </div>
 {{- end }}
--- a/docs/layouts/shortcodes/profile-card.html
+++ b/docs/layouts/shortcodes/profile-card.html
@ -0,0 +1,10 @@
 {{- $key := .Get "name" }}
 <section class="vh-100">
  <div class="container py-5 h-100">
    <div class="row d-flex justify-content-center align-items-center h-100">
      <div class="col-md-12">
 {{ partial "content/profile-card.html" (dict "Site" .Site "Profile" $key) }}
      </div>
    </div>
  </div>
 </section>
--- a/docs/layouts/shortcodes/profile-details.html
+++ b/docs/layouts/shortcodes/profile-details.html
@ -0,0 +1,49 @@
 {{- $key := .Get "name" }}
 {{- $profile := index $.Site.Data.profiles.people $key }}
 {{- if $profile }}
 {{- $team := "" }}
 {{- if $profile.team }}
 {{- $team = index $.Site.Data.profiles.teams $profile.team }}
 {{- end }}
 {{- $email := false }}
 {{- if $profile.email }}{{ $email = true }}{{ end }}
 {{- $matrix := false }}
 {{- if $profile.matrix }}{{ $matrix = true }}{{ end }}
 {{- $discord := false }}
 {{- if (and $profile.discord $profile.discord.id) }}{{ $discord = true }}{{ end }}
 {{- if $profile.github }}
 <div class="mt-3 mb-4">
  <img src="https://github.com/{{ $profile.github }}.png"
       class="rounded-circle img-fluid" style="width: 100px;" />
 </div>
 {{- if $team }}
 <p class="text-muted mb-4"><a href="{{ printf "%s#%s-team" (absURL "information/about") ($profile.team | lower) }}" target="_self">{{ $team.display }} Team</a></p>
 {{- end }}
 <p class="text-muted mb-4">
  <i class="bi bi-geo-alt"></i> {{ $profile.location }}
 </p>
 {{- if $profile.description }}
 <p class="text-muted mb-4">{{ $profile.description }}</p>
 {{- end }}
 {{- if $profile.github }}
 <p>
  <i class="bi bi-github"></i> <a href="https://github.com/{{ $profile.github }}/" target="_blank" rel="noopener" data-toggle="tooltip" data-placement="bottom" title="Checkout {{ $profile.display }} on GitHub ({{ $profile.github }})">{{ $profile.github }}</a>
 </p>
 {{- end }}
 {{- if $email }}
 <p>
  <i class="bi bi-envelope"></i> <a href="mailto:{{ $profile.email }}" data-toggle="tooltip" data-placement="bottom" title="Email {{ $profile.display }} ({{ $profile.email }})">{{ $profile.email }}</a>
 </p>
 {{- end }}
 {{- if (or $matrix $discord) }}
 <p>
  {{- if $matrix }}
  <i class="bi bi-chat-right-quote"></i> <a href="https://matrix.to/#/{{ $profile.matrix }}" target="_blank" rel="noopener" data-toggle="tooltip" data-placement="bottom" title="Message {{ $profile.display }} on Matrix ({{ $profile.matrix }})">{{ $profile.matrix }}</a>
  {{- end }}
  {{- if $discord }}
  <i class="bi bi-discord"></i> <a href="https://discord.com/users/{{ $profile.discord.id }}" target="_blank" rel="noopener" data-toggle="tooltip" data-placement="bottom" title="Message {{ $profile.display}} on Discord ({{ $profile.discord.tag }})">{{ $profile.discord.tag }}</a>
  {{- end }}
 </p>
 {{- end }}
 {{- end }}
 {{- end }}
--- a/docs/layouts/shortcodes/profile-team.html
+++ b/docs/layouts/shortcodes/profile-team.html
@ -0,0 +1,23 @@
 {{- $key := .Get "name" }}
 {{- $team := index $.Site.Data.profiles.teams $key }}
 {{- if $team }}
 {{- $header := .Get "header" }}
 {{- if not $header }}{{ $header = "####" }}{{ end }}
 {{ $team.description }}
 {{ $header }} Responsibilities
 {{- range $team.responsibilities }}
 - {{ . }}
 {{- end }}
 {{ $header }} Members
 <div class="row row-cols-1 row-cols-md-2 row-cols-xl-3 g-4">
 {{- range $team.people }}
  <div class="col col-align-c">
  {{ partial "content/profile-card.html" (dict "Site" $.Site "Profile" .) }}
  </div>
 {{- end }}
 </div>
 {{- end }}