diff --git a/README.md b/README.md index b75c3c3..4cda113 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ This repository contains [community health files][creating-default-community-health-files] and workflow configurations which can be inherited by other repositories within -this organization. +this organization. See [cisco-ospo/oss-template](https://github.com/cisco-ospo/oss-template) ## Acknowledgements diff --git a/docs/CODE_OF_CONDUCT.md b/docs/CODE_OF_CONDUCT.md index 8af3c79..58a8aa2 100644 --- a/docs/CODE_OF_CONDUCT.md +++ b/docs/CODE_OF_CONDUCT.md @@ -1,79 +1,132 @@ - # Contributor Covenant Code of Conduct ## Our Pledge -In the interest of fostering an open and welcoming environment, we as -contributors and maintainers pledge to make participation in our project and -our community a harassment-free experience for everyone, regardless of age, body -size, disability, ethnicity, sex characteristics, gender identity and expression, -level of experience, education, socio-economic status, nationality, personal -appearance, race, religion, or sexual identity and orientation. - -## Our Standards - -Examples of behavior that contributes to creating a positive environment -include: +We as members, contributors, and leaders pledge to make participation in our +community a harassment-free experience for everyone, regardless of age, body +size, visible or invisible disability, ethnicity, sex characteristics, gender +identity and expression, level of experience, education, socio-economic status, +nationality, personal appearance, race, caste, color, religion, or sexual +identity and orientation. -- Using welcoming and inclusive language -- Being respectful of differing viewpoints and experiences -- Gracefully accepting constructive criticism -- Focusing on what is best for the community -- Showing empathy towards other community members +We pledge to act and interact in ways that contribute to an open, welcoming, +diverse, inclusive, and healthy community. -Examples of unacceptable behavior by participants include: +## Our Standards -- The use of sexualized language or imagery and unwelcome sexual attention or - advances -- Trolling, insulting/derogatory comments, and personal or political attacks -- Public or private harassment -- Publishing others' private information, such as a physical or electronic - address, without explicit permission -- Other conduct which could reasonably be considered inappropriate in a +Examples of behavior that contributes to a positive environment for our +community include: + +* Demonstrating empathy and kindness toward other people +* Being respectful of differing opinions, viewpoints, and experiences +* Giving and gracefully accepting constructive feedback +* Accepting responsibility and apologizing to those affected by our mistakes, + and learning from the experience +* Focusing on what is best not just for us as individuals, but for the overall + community + +Examples of unacceptable behavior include: + +* The use of sexualized language or imagery, and sexual attention or advances of + any kind +* Trolling, insulting or derogatory comments, and personal or political attacks +* Public or private harassment +* Publishing others' private information, such as a physical or email address, + without their explicit permission +* Other conduct which could reasonably be considered inappropriate in a professional setting -## Our Responsibilities +## Enforcement Responsibilities -Project maintainers are responsible for clarifying the standards of acceptable -behavior and are expected to take appropriate and fair corrective action in -response to any instances of unacceptable behavior. +Community leaders are responsible for clarifying and enforcing our standards of +acceptable behavior and will take appropriate and fair corrective action in +response to any behavior that they deem inappropriate, threatening, offensive, +or harmful. -Project maintainers have the right and responsibility to remove, edit, or -reject comments, commits, code, wiki edits, issues, and other contributions -that are not aligned to this Code of Conduct, or to ban temporarily or -permanently any contributor for other behaviors that they deem inappropriate, -threatening, offensive, or harmful. +Community leaders have the right and responsibility to remove, edit, or reject +comments, commits, code, wiki edits, issues, and other contributions that are +not aligned to this Code of Conduct, and will communicate reasons for moderation +decisions when appropriate. ## Scope -This Code of Conduct applies within all project spaces, and it also applies when -an individual is representing the project or its community in public spaces. -Examples of representing a project or community include using an official -project e-mail address, posting via an official social media account, or acting -as an appointed representative at an online or offline event. Representation of -a project may be further defined and clarified by project maintainers. +This Code of Conduct applies within all community spaces, and also applies when +an individual is officially representing the community in public spaces. +Examples of representing our community include using an official email address, +posting via an official social media account, or acting as an appointed +representative at an online or offline event. ## Enforcement Instances of abusive, harassing, or otherwise unacceptable behavior may be -reported by contacting the project team at [oss-conduct@cisco.com][conduct-email]. All -complaints will be reviewed and investigated and will result in a response that -is deemed necessary and appropriate to the circumstances. The project team is -obligated to maintain confidentiality with regard to the reporter of an incident. -Further details of specific enforcement policies may be posted separately. +reported to the community leaders responsible for enforcement at +[oss-conduct@cisco.com](mailto:oss-security@cisco.com). All complaints will be +reviewed and investigated promptly and fairly. + +All community leaders are obligated to respect the privacy and security of the +reporter of any incident. + +## Enforcement Guidelines + +Community leaders will follow these Community Impact Guidelines in determining +the consequences for any action they deem in violation of this Code of Conduct: + +### 1. Correction + +**Community Impact**: Use of inappropriate language or other behavior deemed +unprofessional or unwelcome in the community. + +**Consequence**: A private, written warning from community leaders, providing +clarity around the nature of the violation and an explanation of why the +behavior was inappropriate. A public apology may be requested. -Project maintainers who do not follow or enforce the Code of Conduct in good -faith may face temporary or permanent repercussions as determined by other -members of the project's leadership. +### 2. Warning -[conduct-email]: mailto:oss-conduct@cisco.com +**Community Impact**: A violation through a single incident or series of +actions. + +**Consequence**: A warning with consequences for continued behavior. No +interaction with the people involved, including unsolicited interaction with +those enforcing the Code of Conduct, for a specified period of time. This +includes avoiding interactions in community spaces as well as external channels +like social media. Violating these terms may lead to a temporary or permanent +ban. + +### 3. Temporary Ban + +**Community Impact**: A serious violation of community standards, including +sustained inappropriate behavior. + +**Consequence**: A temporary ban from any sort of interaction or public +communication with the community for a specified period of time. No public or +private interaction with the people involved, including unsolicited interaction +with those enforcing the Code of Conduct, is allowed during this period. +Violating these terms may lead to a permanent ban. + +### 4. Permanent Ban + +**Community Impact**: Demonstrating a pattern of violation of community +standards, including sustained inappropriate behavior, harassment of an +individual, or aggression toward or disparagement of classes of individuals. + +**Consequence**: A permanent ban from any sort of public interaction within the +community. ## Attribution -This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, -available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html +This Code of Conduct is adapted from the [Contributor Covenant][homepage], +version 2.1, available at +[https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1]. -[homepage]: https://www.contributor-covenant.org +Community Impact Guidelines were inspired by [Mozilla's code of conduct +enforcement ladder][Mozilla CoC]. -For answers to common questions about this code of conduct, see -https://www.contributor-covenant.org/faq +For answers to common questions about this code of conduct, see the FAQ at +[https://www.contributor-covenant.org/faq][FAQ]. Translations are available at +[https://www.contributor-covenant.org/translations][translations]. + +[homepage]: https://www.contributor-covenant.org +[v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html +[Mozilla CoC]: https://github.com/mozilla/diversity +[FAQ]: https://www.contributor-covenant.org/faq +[translations]: https://www.contributor-covenant.org/translations diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md index 7bd83d5..794ed8c 100644 --- a/docs/CONTRIBUTING.md +++ b/docs/CONTRIBUTING.md @@ -1,45 +1,56 @@ # How to Contribute -Thanks for your interest in contributing to ``! Here are a few general guidelines on contributing and -reporting bugs that we ask you to review. Following these guidelines helps to communicate that you respect the time of -the contributors managing and developing this open source project. In return, they should reciprocate that respect in -addressing your issue, assessing changes, and helping you finalize your pull requests. In that spirit of mutual respect, -we endeavor to review incoming issues and pull requests within 10 days, and will close any lingering issues or pull -requests after 60 days of inactivity. - -Please note that all of your interactions in the project are subject to our [Code of Conduct](/CODE_OF_CONDUCT.md). This -includes creation of issues or pull requests, commenting on issues or pull requests, and extends to all interactions in -any real-time space e.g., Slack, Discord, etc. +Thanks for your interest in contributing to ``! Here are a few +general guidelines on contributing and reporting bugs that we ask you to review. +Following these guidelines helps to communicate that you respect the time of the +contributors managing and developing this open source project. In return, they +should reciprocate that respect in addressing your issue, assessing changes, and +helping you finalize your pull requests. In that spirit of mutual respect, we +endeavor to review incoming issues and pull requests within 10 days, and will +close any lingering issues or pull requests after 60 days of inactivity. + +Please note that all of your interactions in the project are subject to our +[Code of Conduct](/CODE_OF_CONDUCT.md). This includes creation of issues or pull +requests, commenting on issues or pull requests, and extends to all interactions +in any real-time space e.g., Slack, Discord, etc. ## Reporting Issues -Before reporting a new issue, please ensure that the issue was not already reported or fixed by searching through our -[issues list](https://github.com/org_name/repo_name/issues). +Before reporting a new issue, please ensure that the issue was not already +reported or fixed by searching through our [issues +list](https://github.com/org_name/repo_name/issues). -When creating a new issue, please be sure to include a **title and clear description**, as much relevant information as -possible, and, if possible, a test case. +When creating a new issue, please be sure to include a **title and clear +description**, as much relevant information as possible, and, if possible, a +test case. -**If you discover a security bug, please do not report it through GitHub. Instead, please see security procedures in -[SECURITY.md](/SECURITY.md).** +**If you discover a security bug, please do not report it through GitHub. +Instead, please see security procedures in [SECURITY.md](/SECURITY.md).** ## Sending Pull Requests -Before sending a new pull request, take a look at existing pull requests and issues to see if the proposed change or fix -has been discussed in the past, or if the change was already implemented but not yet released. +Before sending a new pull request, take a look at existing pull requests and +issues to see if the proposed change or fix has been discussed in the past, or +if the change was already implemented but not yet released. -We expect new pull requests to include tests for any affected behavior, and, as we follow semantic versioning, we may -reserve breaking changes until the next major version release. +We expect new pull requests to include tests for any affected behavior, and, as +we follow semantic versioning, we may reserve breaking changes until the next +major version release. ## Other Ways to Contribute -We welcome anyone that wants to contribute to `` to triage and reply to open issues to help troubleshoot -and fix existing bugs. Here is what you can do: +We welcome anyone that wants to contribute to `` to triage and +reply to open issues to help troubleshoot and fix existing bugs. Here is what +you can do: -- Help ensure that existing issues follows the recommendations from the _[Reporting Issues](#reporting-issues)_ section, - providing feedback to the issue's author on what might be missing. -- Review and update the existing content of our [Wiki](https://github.com/org_name/repo_name/wiki) with up-to-date +- Help ensure that existing issues follows the recommendations from the + _[Reporting Issues](#reporting-issues)_ section, providing feedback to the + issue's author on what might be missing. +- Review and update the existing content of our + [Wiki](https://github.com/org_name/repo_name/wiki) with up-to-date instructions and code samples. -- Review existing pull requests, and testing patches against real existing applications that use ``. +- Review existing pull requests, and testing patches against real existing + applications that use ``. - Write a test, or add a missing test case to an existing test. Thanks again for your interest on contributing to ``! diff --git a/docs/SECURITY.md b/docs/SECURITY.md index 210a9c1..41e4269 100644 --- a/docs/SECURITY.md +++ b/docs/SECURITY.md @@ -3,37 +3,55 @@ This document outlines security procedures and general policies for the `` project. -- [Reporting a Bug](#reporting-a-bug) -- [Disclosure Policy](#disclosure-policy) -- [Comments on this Policy](#comments-on-this-policy) +- [Disclosing a security issue](#disclosing-a-security-issue) +- [Vulnerability management](#vulnerability-management) +- [Suggesting changes](#suggesting-changes) -## Reporting a Bug +## Disclosing a security issue -The `` team and community take all security bugs in -`` seriously. Thank you for improving the security of -``. We appreciate your efforts and responsible disclosure and -will make every effort to acknowledge your contributions. +The `` maintainers take all security issues in the project +seriously. Thank you for improving the security of ``. We +appreciate your dedication to responsible disclosure and will make every effort +to acknowledge your contributions. -Report security bugs by emailing `oss-security@cisco.com`. +`` leverages GitHub's private vulnerability reporting. -The lead maintainer will acknowledge your email within 48 hours, and will send a -more detailed response within 48 hours indicating the next steps in handling -your report. After the initial reply to your report, the security team will -endeavor to keep you informed of the progress towards a fix and full -announcement, and may ask for additional information or guidance. +To learn more about this feature and how to submit a vulnerability report, +review [GitHub's documentation on private reporting](https://docs.github.com/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability). -## Disclosure Policy +Here are some helpful details to include in your report: -When the security team receives a security bug report, they will assign it to a -primary handler. This person will coordinate the fix and release process, -involving the following steps: +- a detailed description of the issue +- the steps required to reproduce the issue +- versions of the project that may be affected by the issue +- if known, any mitigations for the issue -- Confirm the problem and determine the affected versions. -- Audit code to find any potential similar problems. -- Prepare fixes for all releases still under maintenance. These fixes will be - released as quickly as possible. +A maintainer will acknowledge the report within three (3) business days, and +will send a more detailed response within an additional three (3) business days +indicating the next steps in handling your report. -## Comments on this Policy +If you've been unable to successfully draft a vulnerability report via GitHub +or have not received a response during the alloted response window, please +reach out via the [Cisco Open security contact email](mailto:oss-security@cisco.com). -If you have suggestions on how this process could be improved please submit a -pull request. +After the initial reply to your report, the maintainers will endeavor to keep +you informed of the progress towards a fix and full announcement, and may ask +for additional information or guidance. + +## Vulnerability management + +When the maintainers receive a disclosure report, they will assign it to a +primary handler. + +This person will coordinate the fix and release process, which involves the +following steps: + +- confirming the issue +- determining affected versions of the project +- auditing code to find any potential similar problems +- preparing fixes for all releases under maintenance + +## Suggesting changes + +If you have suggestions on how this process could be improved please submit an +issue or pull request.