Update the security page with the bug bounty program

[abstractj]

This PR introduces the link to the external bug bounty program on our main security page. The motivation for merging this is to support @ahus1 FOSDEM presentation. We are currently under an agreement with YesWeHack and the EC not to publish or promote this program on social media until January.

I feel 50/50 about pushing this change now, due to the following concerns:

• The program is temporary. It will last a maximum nine months. Afterwards we will be required to remove the link next year.

• It may give our community the false impression that this is a permanent, internally run bug bounty program, when its existence is entirely dependent on external EC funding.

• It is not standard practice across established OSS projects to advertise temporary programs as a part of their documentation.

A dedicated blog post and social media campaign, timed for the official January announcement, should be enough.

I'm fine with whatever the reviewers agree.

[ahus1]

I would argue as follows: Those people who come to the Keycloak webpage and read the security policy would miss out on the opportunity to request a bug bounty for their findings, and would be sad when they learn they could have applied for a bug bounty.

I see your point that people might be disappointed when there is later no more bug bounty. Maybe they even submit fewer items due to that. Do manage the expectations, we should outline in the text that this bug bounty opportunity is time bound and budget restricted.

Once we run out of funds, we can evaluate the program. If we found the program beneficial, and can outline the advantages, we try to find a new sponsor, and have a similar disclaimer.

[rmartinc]

LGTM @abstractj!

[sschu]

Shouldn't we make it clear already in this text that the bug bounty program is temporary?

[ahus1]

Shouldn't we make it clear already in this text that the bug bounty program is temporary?

+1 for that.

[stianst]

I'm okay with this as long as text is updated to make it clear it's temporary and we remember to remove the link when/if there no longer is a bounty

[ahus1]

@abstractj / @sschu / @rmartinc - I've updated the PR to be more explicit about the time- and budget bound nature of the BB.

I had a look how other do it: https://www.jenkins.io/security/reporting/ ... and I also found this paragraph about attribution which was IMHO missing. If there are any questions around that paragraph, I can push that to a different issue.