From 7ec8e4ed8f47e81e70de5353500f8a01d5fe396c Mon Sep 17 00:00:00 2001 From: Andy Jordan <2226434+andyleejordan@users.noreply.github.com> Date: Fri, 14 Jun 2024 16:44:39 -0700 Subject: [PATCH] Update Code of Conduct and Security Policy (#23811) Updates the readme, code of conduct and security policy per OSPO request. --- .github/CONTRIBUTING.md | 15 ++++++------ .github/SECURITY.md | 47 +++++++++++++++++++++++++++++------- .markdownlintignore | 1 + CODE_OF_CONDUCT.md | 14 ++++++----- README.md | 12 ++++----- docs/community/governance.md | 23 +++++++++++++++--- docs/maintainers/README.md | 7 +++--- 7 files changed, 83 insertions(+), 36 deletions(-) create mode 100644 .markdownlintignore diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md index 2515c32efa..c90f304631 100644 --- a/.github/CONTRIBUTING.md +++ b/.github/CONTRIBUTING.md @@ -73,13 +73,13 @@ made. In most cases, it means "one clause/idea per line". * Otherwise, these issues should be treated like any other issue in this repository. -#### Spellchecking documentation +#### Spell checking documentation Documentation is spellchecked. We use the [textlint](https://github.com/textlint/textlint/wiki/Collection-of-textlint-rule) command-line tool, which can be run in interactive mode to correct typos. -To run the spellchecker, follow these steps: +To run the spell checker, follow these steps: * install [Node.js](https://nodejs.org/en/) (v10 or up) * install [textlint](https://github.com/textlint/textlint/wiki/Collection-of-textlint-rule) by @@ -169,7 +169,7 @@ Additional references: A better example is: "Add Ensure parameter to New-Item cmdlet", with "Fix #5" in the PR's body. * When you create a pull request, include a summary about your changes in the PR description. - The description is used to create change logs, + The description is used to create changelogs, so try to have the first sentence explain the benefit to end users. If the changes are related to an existing GitHub issue, please reference the issue in the PR description (e.g. ```Fix #11```). @@ -234,8 +234,8 @@ Additional references: * After submitting your pull request, our [CI system (Azure DevOps Pipelines)][ci-system] will run a suite of tests and automatically update the status of the pull request. -* Our CI contains automated spellchecking and link checking for Markdown files. If there is any false-positive, - [run the spellchecker command-line tool in interactive mode](#spellchecking-documentation) +* Our CI contains automated spell checking and link checking for Markdown files. If there is any false-positive, + [run the spell checker command-line tool in interactive mode](#spell-checking-documentation) to add words to the `.spelling` file. * Our packaging test may not pass and ask you to update `files.wxs` file if you add/remove/update nuget package references or add/remove assert files. @@ -382,8 +382,8 @@ Once you sign a CLA, all your existing and future pull requests will have the st ## Code of Conduct Enforcement -Reports of abuse will be reviewed by the PS-Committee and if it has been determined that violations of the -Code of Conduct has occurred, then a temporary ban may be imposed. +Reports of abuse will be reviewed by the [PowerShell Committee][ps-committee] and if it has been determined that violations of the +[Code of Conduct](../CODE_OF_CONDUCT.md) has occurred, then a temporary ban may be imposed. The duration of the temporary ban will depend on the impact and/or severity of the infraction. This can vary from 1 day, a few days, a week, and up to 30 days. Repeat offenses may result in a permanent ban from the PowerShell org. @@ -409,3 +409,4 @@ Repeat offenses may result in a permanent ban from the PowerShell org. [coding-guidelines]: ../docs/dev-process/coding-guidelines.md [breaking-changes-contract]: ../docs/dev-process/breaking-change-contract.md [rfc-process]: https://github.com/PowerShell/PowerShell-RFC +[ps-committee]: ../docs/community/governance.md#powershell-committee diff --git a/.github/SECURITY.md b/.github/SECURITY.md index 6241b2c57b..f941d308b1 100644 --- a/.github/SECURITY.md +++ b/.github/SECURITY.md @@ -1,12 +1,41 @@ -# Security Vulnerabilities + -Security issues are treated very seriously and will, by default, -takes precedence over other considerations including usability, performance, -etc... Best effort will be used to mitigate side effects of a security -change, but PowerShell must be secure by default. +## Security -## Reporting a security vulnerability +Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/Microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin) and [PowerShell](https://github.com/PowerShell). -If you believe that there is a security vulnerability in PowerShell, -it **must** be reported using [https://aka.ms/secure-at](https://aka.ms/secure-at) to allow for [Coordinated Vulnerability Disclosure](https://technet.microsoft.com/security/dn467923). -**Only** file an issue, if [MSRC](https://www.microsoft.com/en-us/msrc/faqs-report-an-issue?rtc=1) has confirmed filing an issue is appropriate. +If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/security.md/definition), please report it to us as described below. + +## Reporting Security Issues + +**Please do not report security vulnerabilities through public GitHub issues.** + +Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/security.md/msrc/create-report). + +If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com). If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/security.md/msrc/pgp). + +You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://www.microsoft.com/msrc). + +Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue: + + * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.) + * Full paths of source file(s) related to the manifestation of the issue + * The location of the affected source code (tag/branch/commit or direct URL) + * Any special configuration required to reproduce the issue + * Step-by-step instructions to reproduce the issue + * Proof-of-concept or exploit code (if possible) + * Impact of the issue, including how an attacker might exploit the issue + +This information will help us triage your report more quickly. + +If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/security.md/msrc/bounty) page for more details about our active programs. + +## Preferred Languages + +We prefer all communications to be in English. + +## Policy + +Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/security.md/cvd). + + diff --git a/.markdownlintignore b/.markdownlintignore new file mode 100644 index 0000000000..1d3c5b1ac9 --- /dev/null +++ b/.markdownlintignore @@ -0,0 +1 @@ +.github/SECURITY.md diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md index 90768d1293..686e5e7a09 100644 --- a/CODE_OF_CONDUCT.md +++ b/CODE_OF_CONDUCT.md @@ -1,8 +1,10 @@ -# Code of Conduct +# Microsoft Open Source Code of Conduct -This project has adopted the [Microsoft Open Source Code of Conduct][conduct-code]. -For more information see the [Code of Conduct FAQ][conduct-FAQ] or contact [opencode@microsoft.com][conduct-email] with any additional questions or comments. +This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). -[conduct-code]: https://opensource.microsoft.com/codeofconduct/ -[conduct-FAQ]: https://opensource.microsoft.com/codeofconduct/faq/ -[conduct-email]: mailto:opencode@microsoft.com +Resources: + +- [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/) +- [Microsoft Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) +- Contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with questions or concerns +- Employees can reach out at [aka.ms/opensource/moderation-support](https://aka.ms/opensource/moderation-support) diff --git a/README.md b/README.md index 48bf266a15..1fed296663 100644 --- a/README.md +++ b/README.md @@ -139,12 +139,10 @@ The governance policy for the PowerShell project is described the [PowerShell Go [gov]: https://github.com/PowerShell/PowerShell/blob/master/docs/community/governance.md -## [Code of Conduct][conduct-md] +## [Code of Conduct](CODE_OF_CONDUCT.md) -This project has adopted the [Microsoft Open Source Code of Conduct][conduct-code]. -For more information, see the [Code of Conduct FAQ][conduct-FAQ] or contact [opencode@microsoft.com][conduct-email] with any additional questions or comments. +Please see our [Code of Conduct](CODE_OF_CONDUCT.md) before participating in this project. -[conduct-code]: https://opensource.microsoft.com/codeofconduct/ -[conduct-FAQ]: https://opensource.microsoft.com/codeofconduct/faq/ -[conduct-email]: mailto:opencode@microsoft.com -[conduct-md]: https://github.com/PowerShell/PowerShell/tree/master/CODE_OF_CONDUCT.md +## [Security Policy](.github/SECURITY.md) + +For any security issues, please see our [Security Policy](.github/SECURITY.md). diff --git a/docs/community/governance.md b/docs/community/governance.md index 8cc989d249..c401920bec 100644 --- a/docs/community/governance.md +++ b/docs/community/governance.md @@ -6,7 +6,7 @@ approving [RFCs][RFC-repo], and approving new maintainers/committee members * [**Repository maintainer**](#repository-maintainers): An individual responsible for merging pull requests (PRs) into `master` when all requirements are met (code review, tests, docs, and RFC approval as applicable). Repository Maintainers are the only people with write permissions for the `master` branch. -* [**Working Groups (WGs)**](#working-groups-(wgs)) are collections of contributors responsible for +* [**Working Groups (WGs)**](#working-groups) are collections of contributors responsible for providing expertise on a specific area of PowerShell in order to help establish consensus within the community and Committee. * **Corporation**: The Corporation owns the PowerShell repository and, under extreme circumstances, @@ -58,15 +58,16 @@ If any Committee Members feels like this behavior is large enough to warrant an As a PowerShell Committee Member: +1. **DO** enforce the [Code of Conduct][coc] by taking reports of abuse and violations to the committee for resolution 1. **DO** reply to issues and pull requests with design opinions (this could include offering support for good work or exciting new features) 1. **DO** encourage healthy discussion about the direction of PowerShell 1. **DO** raise "red flags" on PRs that haven't followed the proper RFC process when applicable 1. **DO** contribute to documentation and best practices -1. **DO** maintain a presence in the PowerShell community outside of GitHub (Twitter, blogs, StackOverflow, Reddit, Hacker News, etc.) +1. **DO** maintain a presence in the PowerShell community outside of GitHub (Twitter, blogs, Stack Overflow, Reddit, Hacker News, etc.) 1. **DO** heavily incorporate community feedback into the weight of your decisions 1. **DO** be polite and respectful to a wide variety of opinions and perspectives -1. **DO** make sure contributors are following the [contributor guidelines](../../.github/CONTRIBUTING.md) +1. **DO** make sure contributors are following the [contributing guidelines](../../.github/CONTRIBUTING.md) 1. **DON'T** constantly raise "red flags" for unimportant or minor problems to the point that the progress of the project is being slowed 1. **DON'T** offer up your opinions as the absolute opinion of the PowerShell Committee. @@ -82,6 +83,19 @@ At any point in time, a Committee Member can nominate a strong community member Nominations should be submitted in the form of [RFCs][RFC-repo] detailing why that individual is qualified and how they will contribute. After the RFC has been discussed, a unanimous vote will be required for the new Committee Member to be confirmed. +### PowerShell Committee Code of Conduct Enforcement + +As stated in the [contributing guidelines](../../.github/CONTRIBUTING.md#code-of-conduct-enforcement): + +Reports of abuse will be reviewed by the PowerShell Committee and if it has been determined that violations of the +[Code of Conduct][coc] has occurred, then a temporary ban may be imposed. +The duration of the temporary ban will depend on the impact and/or severity of the infraction. +This can vary from 1 day, a few days, a week, and up to 30 days. +Repeat offenses may result in a permanent ban from the PowerShell org. + +Microsoft employees on the PowerShell committee should review the available support at +[aka.ms/opensource/moderation-support](https://aka.ms/opensource/moderation-support). + ## Repository Maintainers Repository Maintainers are trusted stewards of the PowerShell community/repository responsible for maintaining consistency and quality of PowerShell code. @@ -89,7 +103,7 @@ One of their primary responsibilities is merging pull requests after all require For more information on Repository Maintainers--their responsibilities, who they are, and how one becomes a Maintainer--see the [README for Repository Maintainers][maintainers]. -## Working Groups (WGs) +## Working Groups [Working Groups (WGs)][wg] are collections of contributors with knowledge of specific components or technologies in the PowerShell domain. @@ -143,6 +157,7 @@ See our [Pull Request Process][pull-request-process] [pester]: ../testing-guidelines/WritingPesterTests.md [breaking-changes]: ../dev-process/breaking-change-contract.md [issue-process]: ../maintainers/issue-management.md +[coc]: ../../CODE_OF_CONDUCT.md [pull-request-process]: ../../.github/CONTRIBUTING.md#lifecycle-of-a-pull-request [docs-contributing]: https://github.com/PowerShell/PowerShell-Docs/blob/staging/CONTRIBUTING.md [maintainers]: ../maintainers/README.md diff --git a/docs/maintainers/README.md b/docs/maintainers/README.md index e592661cf8..ebba4b0225 100644 --- a/docs/maintainers/README.md +++ b/docs/maintainers/README.md @@ -15,7 +15,6 @@ They have [write access](https://docs.github.com/en/free-pro-team@latest/github/ - [Repository Maintainer Responsibilities](#repository-maintainer-responsibilities) - [Issue Management Process](#issue-management-process) - [Pull Request Workflow](#pull-request-workflow) - - [Abandoned Pull Requests](#abandoned-pull-requests) - [Becoming a Repository Maintainer](#becoming-a-repository-maintainer) ## Current Repository Maintainers @@ -33,7 +32,7 @@ They have [write access](https://docs.github.com/en/free-pro-team@latest/github/ -- Andy Schwartzmeyer ([andschwa](https://github.com/andschwa)) +- Andy Jordan ([andyleejordan](https://github.com/andyleejordan)) - Jason Shirk ([lzybkr](https://github.com/lzybkr)) - Mike Richmond ([mirichmo](https://github.com/mirichmo)) - Sergei Vorobev ([vors](https://github.com/vors)) @@ -44,6 +43,7 @@ Repository Maintainers enable rapid contributions while maintaining a high level If you are a Repository Maintainer, you: +1. **MUST** abide by the [Code of Conduct](../../CODE_OF_CONDUCT.md) and report suspected violations to the [PowerShell Committee][ps-committee] 1. **MUST** ensure that each contributor has signed a valid Microsoft Contributor License Agreement (CLA) 1. **MUST** verify compliance with any third party code license terms (e.g., requiring attribution, etc.) if the contribution contains third party code. 1. **MUST** make sure that [any change requiring approval from the PowerShell Committee](../community/governance.md#changes-that-require-an-rfc) has gone through the proper [RFC][RFC-repo] or approval process @@ -96,10 +96,11 @@ At any point in time, the existing Repository Maintainers can unanimously nomina Nominations are brought to the PowerShell Committee to understand the reasons and justification. A simple majority of the PowerShell Committee is required to veto the nomination. When a nominee has been approved, a PR will be submitted by a current Maintainer to update this document to add the nominee's name to -the [Current Repository Maintainers](#Current-Repository-Maintainers) with justification as the description of the PR to serve as the public announcement. +the [Current Repository Maintainers](#current-repository-maintainers) with justification as the description of the PR to serve as the public announcement. [RFC-repo]: https://github.com/PowerShell/PowerShell-RFC [ci-system]: ../testing-guidelines/testing-guidelines.md#ci-system [issue-management]: issue-management.md [CONTRIBUTING]: ../../.github/CONTRIBUTING.md [best-practice]: best-practice.md +[ps-committee]: ../community/governance.md#powershell-committee