Skip to content

Commit

Permalink
Merge pull request #8 from dfns/dco
Browse files Browse the repository at this point in the history
Add contribution & vuln reporting guidelines
  • Loading branch information
survived authored Aug 2, 2024
2 parents 7e3bc05 + 4bc95b3 commit 13a3021
Show file tree
Hide file tree
Showing 2 changed files with 84 additions and 0 deletions.
64 changes: 64 additions & 0 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
# Contributing Guide

Thanks for taking interest to contributing to our project!

## Pull Requests
Prior to making a PR, we ask you to communicate it with us, preferably by opening an issue.
This would help to keep your work aligned with the maintainers view and get insights from
them.

All commits are required to be signed via verified GPG key. You can read about commit signing
in [this series of articles](https://docs.github.com/en/authentication/managing-commit-signature-verification)
(we recommend using a hardware GPG token).

All commits are required to be signed off by including `Signed-off-by: YOUR NAME <[email protected]>` line.
By doing this, you certify that the commit is compliant with [Developer Certificate of Origin (DCO)](https://developercertificate.org/),
meaning that you wrote the code or otherwise have the right to submit the code you are
contributing to the project.

```text
Developer Certificate of Origin
Version 1.1
Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
Everyone is permitted to copy and distribute verbatim copies of this
license document, but changing it is not allowed.
Developer's Certificate of Origin 1.1
By making a contribution to this project, I certify that:
(a) The contribution was created in whole or in part by me and I
have the right to submit it under the open source license
indicated in the file; or
(b) The contribution is based upon previous work that, to the best
of my knowledge, is covered under an appropriate open source
license and I have the right under that license to submit that
work with modifications, whether created in whole or in part
by me, under the same open source license (unless I am
permitted to submit under a different license), as indicated
in the file; or
(c) The contribution was provided directly to me by some other
person who certified (a), (b) or (c) and I have not modified
it.
(d) I understand and agree that this project and the contribution
are public and that a record of the contribution (including all
personal information I submit with it, including my sign-off) is
maintained indefinitely and may be redistributed consistent with
this project or the open source license(s) involved.
```

Commits can be automatically signed off automatically by using `-s` flag (i.e. `git commit -s`).

## Issues
Feel free to open an issue if you found a bug, have a suggestion, or wish to
communicate with us for other reasons.

However, if you want to report something that you believe might be a security
vulnerability or a security flaw in this or any upstream project, please report
it following the procedure described in [SECURITY.md](./SECURITY.md).
20 changes: 20 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
# Security Policy

## Supported Versions

Only the latest version of the library is supported.

## Reporting a Vulnerability

We ask to report any security vulnerabilities or flaws through:

1. Github, in the "Security" tab, using the "Report a vulnerability" button.
2. Email, [email protected]

After receiving the report, it will take us up to 2 working days to respond.
We will evaluate the reported vulnerability, determine whether it needs to
be addressed, and (if so) and provide an estimated timeline for addressing it.

After vulnerability was fixed and the new version of the library was
properly tested, we publish the fix, and publicly disclose the vulnerability
(credits for finding the issue go to the reporter).

0 comments on commit 13a3021

Please sign in to comment.