docs/audits: new page for the security audits

Moved over from security.html

Added the new HTTP/3 audit.

docs/Makefile

@@ -174,6 +174,7 @@ CVELIST = \
 PAGES = \
  $(CVELIST) \
  alt-svc.html \
+ audits.html \
  bugbounty.html \
  bugs.html \
  caextract.html \
@@ -436,6 +437,9 @@ ssl-ciphers.html: _ssl-ciphers.html $(MAINPARTS) ciphers.gen
 caextract.html: _caextract.html $(MAINPARTS) ../ca/pemlist.gen
  $(ACTION)
 
+audits.html: _audits.html $(MAINPARTS) $(ADVBOX)
+ $(ACTION)
+
 security.html: _security.html seclist.gen $(MAINPARTS) $(ADVBOX)
  fcpp $(FCPP_OPTS) -DSEVERITY=0 -I$(ROOT) -WWW -Uunix -P -H -C -V -LL $< $@
 security-m.html: _security.html seclist-m.gen $(MAINPARTS) $(ADVBOX)

docs/_audits.html

@@ -0,0 +1,44 @@
+#include "_doctype.html"
+<html>
+<head> <title>curl - security audits</title>
+#include "css.t"
+</head>
+
+#define CURL_DOCS
+#define REL_DOCS
+#define DOCS_AUDITS
+#define CURL_URL docs/audits.html
+
+#include "setup.t"
+#include "_menu.html"
+
+WHERE3(Docs, "/docs/", Releases, "/docs/reldocs.html", security audits)
+
+TITLE(curl security audit reports)
+#include "adv-related-box.inc"
+
+SUBTITLE(2024)
+<p>
+ <a href="https://www.trailofbits.com/">Trail of Bits</a> performed a
+ security audit of curl's HTTP/3 components, published on February 23, 2024.
+<p>
+ See <a href="audit/trail-of-bits-http3-report.pdf">cURL HTTP/3 Components</a>.
+
+SUBTITLE(2022)
+<p>
+ <a href="https://www.trailofbits.com/">Trail of Bits</a> performed a
+ security audit of curl source code and internals, published on December 21,
+ 2022.
+<p>
+ See <a href="audit/threatmodel-2022.pdf">Threat Model Report & Fix
+ Review</a> and <a href="audit/codereview-2022.pdf">Code Review &
+ Testing Analysis</a>.
+
+SUBTITLE(2016)
+<p>
+ <a href="https://cure53.de/">Cure 53</a>
+ performed <a href="audit/cure53-curl-report-2016.pdf">a security audit</a>,
+ published in August 2016.
+
+#include "_footer.html"
+</body> </html>

docs/_security.html

@@ -27,26 +27,12 @@
  If you find or simply suspect a security problem in curl or libcurl, please
  file a detailed report on our <a href="https://hackerone.com/curl">hackerone
  page</a> and tell.
-<p>
- We appreciate getting notified in advance before you go public with security
- advisories for the sake of our users. We disclose security vulnerabilities in
- association with our fixes for them.
+
 <p>
  See also the <a href="vulnerabilities.html">Vulnerabilities Table</a> to see
  what versions that are vulnerable to what flaws.
 
-SUBTITLE(Past security audits)
-<p>
- Cure 53 performed <a href="audit/cure53-curl-report-2016.pdf">a security
- audit</a> in August 2016.
-<p>
- Trail of Bits performed a security audit of curl source code and internals,
- published on December 21, 2022.
- See <a href="audit/threatmodel-2022.pdf">Threat Model Report & Fix
- Review</a> and <a href="audit/codereview-2022.pdf">Code Review &
- Testing Analysis</a>.
-
-SUBTITLE(Past vulnerabilities)
+SUBTITLE(Published vulnerabilities)
 
 <a href="security.html">All</a> |
 <a href="security-m.html">Medium+</a> |

docs/adv-related-box.inc

@@ -1,5 +1,6 @@
 <div class="relatedbox">
 <b>Related:</b>
+<br><a href="audits.html">Audits</a>
 <br><a href="/docs/bugbounty.html">Bug Bounty</a>
 <br><a href="/changes.html">Changelog</a>
 <br><a href="security.html">curl CVEs</a>