Update Code of Conduct and Security Policy (#23811)

Updates the readme, code of conduct and security policy per OSPO request.

.github/CONTRIBUTING.md

@@ -235,7 +235,7 @@ Additional references:
   our [CI system (Azure DevOps Pipelines)][ci-system]
   will run a suite of tests and automatically update the status of the pull request.
 * Our CI contains automated spell checking and link checking for Markdown files. If there is any false-positive,
-  [run the spellchecker command-line tool in interactive mode](#spellchecking-documentation)
+  [run the spell checker command-line tool in interactive mode](#spell-checking-documentation)
   to add words to the `.spelling` file.
 * Our packaging test may not pass and ask you to update `files.wxs` file if you add/remove/update nuget package references or add/remove assert files.
 
@@ -382,8 +382,8 @@ Once you sign a CLA, all your existing and future pull requests will have the st
 
 ## Code of Conduct Enforcement
 
-Reports of abuse will be reviewed by the PS-Committee and if it has been determined that violations of the
-Code of Conduct has occurred, then a temporary ban may be imposed.
+Reports of abuse will be reviewed by the [PowerShell Committee][ps-committee] and if it has been determined that violations of the
+[Code of Conduct](../CODE_OF_CONDUCT.md) has occurred, then a temporary ban may be imposed.
 The duration of the temporary ban will depend on the impact and/or severity of the infraction.
 This can vary from 1 day, a few days, a week, and up to 30 days.
 Repeat offenses may result in a permanent ban from the PowerShell org.
@@ -409,3 +409,4 @@ Repeat offenses may result in a permanent ban from the PowerShell org.
 [coding-guidelines]: ../docs/dev-process/coding-guidelines.md
 [breaking-changes-contract]: ../docs/dev-process/breaking-change-contract.md
 [rfc-process]: https://github.com/PowerShell/PowerShell-RFC
+[ps-committee]: ../docs/community/governance.md#powershell-committee

.github/SECURITY.md

@@ -1,12 +1,41 @@
-# Security Vulnerabilities
+<!-- BEGIN MICROSOFT SECURITY.MD V0.0.9 BLOCK -->
 
-Security issues are treated very seriously and will, by default,
-takes precedence over other considerations including usability, performance,
-etc...  Best effort will be used to mitigate side effects of a security
-change, but PowerShell must be secure by default.
+## Security
 
-## Reporting a security vulnerability
+Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/Microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin) and [PowerShell](https://github.com/PowerShell).
 
-If you believe that there is a security vulnerability in PowerShell,
-it **must** be reported using [https://aka.ms/secure-at](https://aka.ms/secure-at) to allow for [Coordinated Vulnerability Disclosure](https://technet.microsoft.com/security/dn467923).
-**Only** file an issue, if [MSRC](https://www.microsoft.com/en-us/msrc/faqs-report-an-issue?rtc=1) has confirmed filing an issue is appropriate.
+If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/security.md/definition), please report it to us as described below.
+
+## Reporting Security Issues
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/security.md/msrc/create-report).
+
+If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com).  If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/security.md/msrc/pgp).
+
+You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://www.microsoft.com/msrc). 
+
+Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
+
+  * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
+  * Full paths of source file(s) related to the manifestation of the issue
+  * The location of the affected source code (tag/branch/commit or direct URL)
+  * Any special configuration required to reproduce the issue
+  * Step-by-step instructions to reproduce the issue
+  * Proof-of-concept or exploit code (if possible)
+  * Impact of the issue, including how an attacker might exploit the issue
+
+This information will help us triage your report more quickly.
+
+If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/security.md/msrc/bounty) page for more details about our active programs.
+
+## Preferred Languages
+
+We prefer all communications to be in English.
+
+## Policy
+
+Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/security.md/cvd).
+
+<!-- END MICROSOFT SECURITY.MD BLOCK -->

.markdownlintignore

@@ -0,0 +1 @@
+.github/SECURITY.md

CODE_OF_CONDUCT.md

@@ -1,8 +1,10 @@
-# Code of Conduct
+# Microsoft Open Source Code of Conduct
 
-This project has adopted the [Microsoft Open Source Code of Conduct][conduct-code].
-For more information see the [Code of Conduct FAQ][conduct-FAQ] or contact [opencode@microsoft.com][conduct-email] with any additional questions or comments.
+This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
 
-[conduct-code]: https://opensource.microsoft.com/codeofconduct/
-[conduct-FAQ]: https://opensource.microsoft.com/codeofconduct/faq/
-[conduct-email]: mailto:opencode@microsoft.com
+Resources:
+
+- [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/)
+- [Microsoft Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/)
+- Contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with questions or concerns
+- Employees can reach out at [aka.ms/opensource/moderation-support](https://aka.ms/opensource/moderation-support)

README.md

@@ -139,12 +139,10 @@ The governance policy for the PowerShell project is described the [PowerShell Go
 
 [gov]: https://github.com/PowerShell/PowerShell/blob/master/docs/community/governance.md
 
-## [Code of Conduct][conduct-md]
+## [Code of Conduct](CODE_OF_CONDUCT.md)
 
-This project has adopted the [Microsoft Open Source Code of Conduct][conduct-code].
-For more information, see the [Code of Conduct FAQ][conduct-FAQ] or contact [opencode@microsoft.com][conduct-email] with any additional questions or comments.
+Please see our [Code of Conduct](CODE_OF_CONDUCT.md) before participating in this project.
 
-[conduct-code]: https://opensource.microsoft.com/codeofconduct/
-[conduct-FAQ]: https://opensource.microsoft.com/codeofconduct/faq/
-[conduct-email]: mailto:opencode@microsoft.com
-[conduct-md]: https://github.com/PowerShell/PowerShell/tree/master/CODE_OF_CONDUCT.md
+## [Security Policy](.github/SECURITY.md)
+
+For any security issues, please see our [Security Policy](.github/SECURITY.md).

docs/community/governance.md

@@ -6,7 +6,7 @@
   approving [RFCs][RFC-repo], and approving new maintainers/committee members
 * [**Repository maintainer**](#repository-maintainers): An individual responsible for merging pull requests (PRs) into `master` when all requirements are met (code review, tests, docs, and RFC approval as applicable).
   Repository Maintainers are the only people with write permissions for the `master` branch.
-* [**Working Groups (WGs)**](#working-groups-(wgs)) are collections of contributors responsible for
+* [**Working Groups (WGs)**](#working-groups) are collections of contributors responsible for
   providing expertise on a specific area of PowerShell in order to help establish consensus within
   the community and Committee.
 * **Corporation**: The Corporation owns the PowerShell repository and, under extreme circumstances,
@@ -58,6 +58,7 @@ If any Committee Members feels like this behavior is large enough to warrant an
 
 As a PowerShell Committee Member:
 
+1. **DO** enforce the [Code of Conduct][coc] by taking reports of abuse and violations to the committee for resolution
 1. **DO** reply to issues and pull requests with design opinions
   (this could include offering support for good work or exciting new features)
 1. **DO** encourage healthy discussion about the direction of PowerShell
@@ -66,7 +67,7 @@ As a PowerShell Committee Member:
 1. **DO** maintain a presence in the PowerShell community outside of GitHub (Twitter, blogs, Stack Overflow, Reddit, Hacker News, etc.)
 1. **DO** heavily incorporate community feedback into the weight of your decisions
 1. **DO** be polite and respectful to a wide variety of opinions and perspectives
-1. **DO** make sure contributors are following the [contributor guidelines](../../.github/CONTRIBUTING.md)
+1. **DO** make sure contributors are following the [contributing guidelines](../../.github/CONTRIBUTING.md)
 
 1. **DON'T** constantly raise "red flags" for unimportant or minor problems to the point that the progress of the project is being slowed
 1. **DON'T** offer up your opinions as the absolute opinion of the PowerShell Committee.
@@ -82,6 +83,19 @@ At any point in time, a Committee Member can nominate a strong community member
 Nominations should be submitted in the form of [RFCs][RFC-repo] detailing why that individual is qualified and how they will contribute.
 After the RFC has been discussed, a unanimous vote will be required for the new Committee Member to be confirmed.
 
+### PowerShell Committee Code of Conduct Enforcement
+
+As stated in the [contributing guidelines](../../.github/CONTRIBUTING.md#code-of-conduct-enforcement):
+
+Reports of abuse will be reviewed by the PowerShell Committee and if it has been determined that violations of the
+[Code of Conduct][coc] has occurred, then a temporary ban may be imposed.
+The duration of the temporary ban will depend on the impact and/or severity of the infraction.
+This can vary from 1 day, a few days, a week, and up to 30 days.
+Repeat offenses may result in a permanent ban from the PowerShell org.
+
+Microsoft employees on the PowerShell committee should review the available support at
+[aka.ms/opensource/moderation-support](https://aka.ms/opensource/moderation-support).
+
 ## Repository Maintainers
 
 Repository Maintainers are trusted stewards of the PowerShell community/repository responsible for maintaining consistency and quality of PowerShell code.
@@ -89,7 +103,7 @@ One of their primary responsibilities is merging pull requests after all require
 
 For more information on Repository Maintainers--their responsibilities, who they are, and how one becomes a Maintainer--see the [README for Repository Maintainers][maintainers].
 
-## Working Groups (WGs)
+## Working Groups
 
 [Working Groups (WGs)][wg] are collections of contributors with knowledge of specific components or
 technologies in the PowerShell domain.
@@ -143,6 +157,7 @@ See our [Pull Request Process][pull-request-process]
 [pester]: ../testing-guidelines/WritingPesterTests.md
 [breaking-changes]: ../dev-process/breaking-change-contract.md
 [issue-process]: ../maintainers/issue-management.md
+[coc]: ../../CODE_OF_CONDUCT.md
 [pull-request-process]: ../../.github/CONTRIBUTING.md#lifecycle-of-a-pull-request
 [docs-contributing]: https://github.com/PowerShell/PowerShell-Docs/blob/staging/CONTRIBUTING.md
 [maintainers]: ../maintainers/README.md

docs/maintainers/README.md

@@ -15,7 +15,6 @@ They have [write access](https://docs.github.com/en/free-pro-team@latest/github/
 - [Repository Maintainer Responsibilities](#repository-maintainer-responsibilities)
 - [Issue Management Process](#issue-management-process)
 - [Pull Request Workflow](#pull-request-workflow)
-    - [Abandoned Pull Requests](#abandoned-pull-requests)
 - [Becoming a Repository Maintainer](#becoming-a-repository-maintainer)
 
 ## Current Repository Maintainers
@@ -33,7 +32,7 @@ They have [write access](https://docs.github.com/en/free-pro-team@latest/github/
 
 <!-- please keep in alphabetical order -->
 
-- Andy Schwartzmeyer ([andschwa](https://github.com/andschwa))
+- Andy Jordan ([andyleejordan](https://github.com/andyleejordan))
 - Jason Shirk ([lzybkr](https://github.com/lzybkr))
 - Mike Richmond ([mirichmo](https://github.com/mirichmo))
 - Sergei Vorobev ([vors](https://github.com/vors))
@@ -44,6 +43,7 @@ Repository Maintainers enable rapid contributions while maintaining a high level
 
 If you are a Repository Maintainer, you:
 
+1. **MUST** abide by the [Code of Conduct](../../CODE_OF_CONDUCT.md) and report suspected violations to the [PowerShell Committee][ps-committee]
 1. **MUST** ensure that each contributor has signed a valid Microsoft Contributor License Agreement (CLA)
 1. **MUST** verify compliance with any third party code license terms (e.g., requiring attribution, etc.) if the contribution contains third party code.
 1. **MUST** make sure that [any change requiring approval from the PowerShell Committee](../community/governance.md#changes-that-require-an-rfc) has gone through the proper [RFC][RFC-repo] or approval process
@@ -96,10 +96,11 @@ At any point in time, the existing Repository Maintainers can unanimously nomina
 Nominations are brought to the PowerShell Committee to understand the reasons and justification.
 A simple majority of the PowerShell Committee is required to veto the nomination.
 When a nominee has been approved, a PR will be submitted by a current Maintainer to update this document to add the nominee's name to
-the [Current Repository Maintainers](#Current-Repository-Maintainers) with justification as the description of the PR to serve as the public announcement.
+the [Current Repository Maintainers](#current-repository-maintainers) with justification as the description of the PR to serve as the public announcement.
 
 [RFC-repo]: https://github.com/PowerShell/PowerShell-RFC
 [ci-system]: ../testing-guidelines/testing-guidelines.md#ci-system
 [issue-management]: issue-management.md
 [CONTRIBUTING]: ../../.github/CONTRIBUTING.md
 [best-practice]: best-practice.md
+[ps-committee]: ../community/governance.md#powershell-committee