-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add contribution & vuln reporting guidelines
- Loading branch information
Showing
2 changed files
with
84 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
# Contributing Guide | ||
|
||
Thanks for taking interest to contributing to our project! | ||
|
||
## Pull Requests | ||
Prior to making a PR, we ask you to communicate it with us, preferably by opening an issue. | ||
This would help to keep your work aligned with the maintainers view and get insights from | ||
them. | ||
|
||
All commits are required to be signed via verified GPG key. You can read about commit signing | ||
in [this series of articles](https://docs.github.com/en/authentication/managing-commit-signature-verification) | ||
(we recommend using a hardware GPG token). | ||
|
||
All commits are required to be signed off by including `Signed-off-by: YOUR NAME <[email protected]>` line. | ||
By doing this, you certify that the commit is compliant with [Developer Certificate of Origin (DCO)](https://developercertificate.org/), | ||
meaning that you wrote the code or otherwise have the right to submit the code you are | ||
contributing to the project. | ||
|
||
```text | ||
Developer Certificate of Origin | ||
Version 1.1 | ||
Copyright (C) 2004, 2006 The Linux Foundation and its contributors. | ||
Everyone is permitted to copy and distribute verbatim copies of this | ||
license document, but changing it is not allowed. | ||
Developer's Certificate of Origin 1.1 | ||
By making a contribution to this project, I certify that: | ||
(a) The contribution was created in whole or in part by me and I | ||
have the right to submit it under the open source license | ||
indicated in the file; or | ||
(b) The contribution is based upon previous work that, to the best | ||
of my knowledge, is covered under an appropriate open source | ||
license and I have the right under that license to submit that | ||
work with modifications, whether created in whole or in part | ||
by me, under the same open source license (unless I am | ||
permitted to submit under a different license), as indicated | ||
in the file; or | ||
(c) The contribution was provided directly to me by some other | ||
person who certified (a), (b) or (c) and I have not modified | ||
it. | ||
(d) I understand and agree that this project and the contribution | ||
are public and that a record of the contribution (including all | ||
personal information I submit with it, including my sign-off) is | ||
maintained indefinitely and may be redistributed consistent with | ||
this project or the open source license(s) involved. | ||
``` | ||
|
||
Commits can be automatically signed off automatically by using `-s` flag (i.e. `git commit -s`). | ||
|
||
## Issues | ||
Feel free to open an issue if you found a bug, have a suggestion, or wish to | ||
communicate with us for other reasons. | ||
|
||
However, if you want to report something that you believe might be a security | ||
vulnerability or a security flaw in this or any upstream project, please report | ||
it following the procedure described in [SECURITY.md](./SECURITY.md). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
# Security Policy | ||
|
||
## Supported Versions | ||
|
||
Only the latest version of the library is supported. | ||
|
||
## Reporting a Vulnerability | ||
|
||
We ask to report any security vulnerabilities or flaws through: | ||
|
||
1. Github, in the "Security" tab, using the "Report a vulnerability" button. | ||
2. Email, [email protected] | ||
|
||
After receiving the report, it will take us up to 2 working days to respond. | ||
We will evaluate the reported vulnerability, determine whether it needs to | ||
be addressed, and (if so) and provide an estimated timeline for addressing it. | ||
|
||
After vulnerability was fixed and the new version of the library was | ||
properly tested, we publish the fix, and publicly disclose the vulnerability | ||
(credits for finding the issue go to the reporter). |