Add security information

Author: dondonz

docusaurus.config.js

@@ -67,6 +67,7 @@ const config = {
           {to: 'https://leanpub.com/graphql-java/', label: 'Book', position: 'left'},
           {to: '/tutorials/getting-started-with-spring-boot', label: 'Tutorial', position: 'left'},
           {to: '/blog', label: 'Blog', position: 'left'},
+          {to: '/security', label: 'Security', position: 'left'},
           {to: '/about', label: 'About', position: 'left'},
           {type: 'docsVersionDropdown', position: 'right'},
           {
@@ -93,6 +94,10 @@ const config = {
               {
                 label: 'JavaDoc',
                 to: 'https://javadoc.io/doc/com.graphql-java/graphql-java/',
+              },
+              {
+                label: 'Security',
+                to: '/security'
               }
             ],
           },

src/pages/security.md

@@ -0,0 +1,39 @@
+---
+title: Security
+description: Security policy and information
+hide_table_of_contents: true
+---
+
+# Security
+
+## Supported versions
+If a security issue occurs, we will patch the latest version and backport the security patch for versions released in the past 18 months, as stated in our [release policy](https://www.graphql-java.com/blog/release-policy).
+
+These fixes will be backported depending on severity and demand. As security fixes are time sensitive, we will release them on demand instead of waiting for the next scheduled release date.
+
+The maintainers reserve the right to make a pragmatic decision to make adjustments to the security policy.
+
+## Reporting a vulnerability
+:::caution
+🚨 To report a vulnerability, **DO NOT open a pull request or issue or GitHub discussion. DO NOT post publicly.**
+
+Instead, **report the vulnerability privately** via the Security tab on the [graphql-java GitHub repository](https://github.com/graphql-java/graphql-java). See instructions at [https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability).
+:::
+
+
+## Common Vulnerabilities and Exposures (CVEs)
+
+#### CVE-2023-29470
+Patched by versions 20.2, 19.5, 18.5, 17.6, build version 0.0.0-2023-03-29T23-54-31-fabc3e0, or later
+* [Announcement on GitHub](https://github.com/graphql-java/graphql-java/discussions/3181)
+* [CVE link](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29470)
+
+#### CVE-2023-28867
+Patched by versions 20.1, 19.4, 18.4, 17.5, build version 0.0.0-2023-03-20T01-49-44-80e3135, or later
+* [Announcement on GitHub](https://github.com/graphql-java/graphql-java/discussions/3153)
+* [CVE link](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28867)
+
+#### CVE-2022-37734
+Patched by versions 19.0, 18.3, 17.4, build version 0.0.0-2022-07-26T05-45-04-226aabd9, or later
+* [Announcement on GitHub](https://github.com/graphql-java/graphql-java/discussions/2958)
+* [CVE link](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-37734)