diff --git a/CONTRIBUTING_CN.md b/CONTRIBUTING_CN.md
index 47700d78b..d673ab1e2 100644
--- a/CONTRIBUTING_CN.md
+++ b/CONTRIBUTING_CN.md
@@ -23,7 +23,7 @@
## 报告安全问题
-安全问题总是得到认真对待。作为我们通常的原则,我们不鼓励任何人传播安全问题。如果您发现Higress的安全问题,请不要公开讨论,甚至不要公开问题。相反,我们鼓励您向 [higress@googlegroups.com](mailto:higress@googlegroups.com) 发送私人电子邮件 以报告此情况。
+安全问题总是得到认真对待。作为我们通常的原则,我们不鼓励任何人传播安全问题。如果您发现 Higress 的安全问题,请不要公开讨论,甚至不要公开 issue。请按照 [`SECURITY.md`](./SECURITY.md) 中描述的流程私密报告漏洞。
## 报告一般问题
@@ -204,10 +204,18 @@ make prebuild && go mod tidy
任何测试用例都会受到欢迎。目前,Higress 功能测试用例是高优先级的。
-* 对于单元测试,您需要在同一模块的 test 目录中创建一个名为 xxxTest.go 的测试文件。
+### 新功能的测试要求
-* 对于集成测试,您可以将集成测试放在 test 目录。
-//TBD
+- **新 Wasm 插件**:必须包含单元测试,代码覆盖率不低于 30%(CI 强制检查)。
+- **新核心功能**:应包含单元测试,适用时还应添加 E2E 一致性测试用例。
+- **Bug 修复**:应包含能复现该 Bug 的回归测试。
+- **Patch 覆盖率**:新增或修改的代码必须达到 50% 的覆盖率(由 Codecov 通过 `codecov.yml` 强制检查)。
+
+### 如何编写测试
+
+* 对于单元测试,在同一模块的 test 目录中创建一个名为 `xxxTest.go` 的测试文件。
+* 对于集成测试,将集成测试放在 test 目录。
+* 对于 Wasm 插件 E2E 测试,在 `test/e2e/conformance/tests/` 中添加测试用例。详见 [test/README.md](./test/README.md)。
## 参与帮助任何事情
diff --git a/CONTRIBUTING_EN.md b/CONTRIBUTING_EN.md
index 5df39db4c..408e6be59 100644
--- a/CONTRIBUTING_EN.md
+++ b/CONTRIBUTING_EN.md
@@ -23,7 +23,7 @@ Your interest in contributing to Higress is warmly welcomed. First, we encourage
## Reporting security issues
-Security issues are always treated seriously. As our usual principle, we discourage anyone to spread security issues. If you find a security issue of Higress, please do not discuss it in public and even do not open a public issue. Instead we encourage you to send us a private email to [higress@googlegroups.com](mailto:higress@googlegroups.com) to report this.
+Security issues are always treated seriously. As our usual principle, we discourage anyone to spread security issues. If you find a security issue of Higress, please do not discuss it in public and even do not open a public issue. Instead please follow the process described in [`SECURITY.md`](./SECURITY.md) to report vulnerabilities privately.
## Reporting general issues
@@ -204,9 +204,18 @@ make prebuild && go mod tidy
Any test case would be welcomed. Currently, Higress function test cases are high priority.
-* For unit test, you need to create a test file named `xxxTest.go` in the test directory of the same module.
-* For integration test, you can put the integration test in the test directory.
-//TBD
+### Test requirements for new functionality
+
+- **New Wasm plugins**: MUST include unit tests with at least 30% code coverage (enforced by CI).
+- **New core features**: SHOULD include unit tests and, where applicable, E2E conformance test cases.
+- **Bug fixes**: SHOULD include a regression test that reproduces the bug.
+- **Patch coverage**: New or changed code must meet a 50% coverage target for the patch (enforced by Codecov via `codecov.yml`).
+
+### How to write tests
+
+* For unit tests, create a test file named `xxxTest.go` in the test directory of the same module.
+* For integration tests, you can put the integration test in the test directory.
+* For Wasm plugin E2E tests, add test cases in `test/e2e/conformance/tests/`. See [test/README.md](./test/README.md) for details.
## Engage to help anything
We choose GitHub as the primary place for Higress to collaborate. So the latest updates of Higress are always here. Although contributions via PR is an explicit way to help, we still call for any other ways.
diff --git a/CONTRIBUTING_JP.md b/CONTRIBUTING_JP.md
index 5541a5220..699d887ec 100644
--- a/CONTRIBUTING_JP.md
+++ b/CONTRIBUTING_JP.md
@@ -23,7 +23,7 @@ Higress のハッキングに興味がある場合は、温かく歓迎します
## セキュリティ問題の報告
-セキュリティ問題は常に真剣に扱われます。通常の原則として、セキュリティ問題を広めることは推奨しません。Higress のセキュリティ問題を発見した場合は、公開で議論せず、公開の問題を開かないでください。代わりに、[higress@googlegroups.com](mailto:higress@googlegroups.com) にプライベートなメールを送信して報告することをお勧めします。
+セキュリティ問題は常に真剣に扱われます。通常の原則として、セキュリティ問題を広めることは推奨しません。Higress のセキュリティ問題を発見した場合は、公開で議論せず、公開の issue を開かないでください。[`SECURITY.md`](./SECURITY.md) に記載されたプロセスに従って、脆弱性を非公開で報告してください。
## 一般的な問題の報告
@@ -199,9 +199,18 @@ make prebuild && go mod tidy
テストケースは歓迎されます。現在、Higress の機能テストケースが高優先度です。
-* 単体テストの場合、同じモジュールの test ディレクトリに xxxTest.go という名前のテストファイルを作成する必要があります。
-* 統合テストの場合、統合テストを test ディレクトリに配置できます。
-//TBD
+### 新機能のテスト要件
+
+- **新しい Wasm プラグイン**:30% 以上のコードカバレッジを持つユニットテストを含める必要があります(CI で強制チェック)。
+- **新しいコア機能**:ユニットテストを含めるべきであり、該当する場合は E2E コンフォーマンステストケースも追加すべきです。
+- **バグ修正**:バグを再現する回帰テストを含めるべきです。
+- **パッチカバレッジ**:新規または変更されたコードは 50% のカバレッジ目標を満たす必要があります(Codecov が `codecov.yml` を通じて強制チェック)。
+
+### テストの書き方
+
+* ユニットテストの場合、同じモジュールの test ディレクトリに `xxxTest.go` という名前のテストファイルを作成します。
+* 統合テストの場合、統合テストを test ディレクトリに配置します。
+* Wasm プラグイン E2E テストの場合、`test/e2e/conformance/tests/` にテストケースを追加します。詳細は [test/README.md](./test/README.md) を参照してください。
## 何かを手伝うための参加
diff --git a/README.md b/README.md
index 95b1d3973..0a23c7815 100644
--- a/README.md
+++ b/README.md
@@ -12,7 +12,6 @@
[](https://www.apache.org/licenses/LICENSE-2.0.html)
[](https://discord.gg/tSbww9VDaM)
[](https://www.cncf.io/projects/)
-[](https://www.bestpractices.dev/)
diff --git a/README_JP.md b/README_JP.md
index 3cde17728..6243bed77 100644
--- a/README_JP.md
+++ b/README_JP.md
@@ -9,7 +9,6 @@
[](https://github.com/alibaba/higress/actions)
[](https://www.apache.org/licenses/LICENSE-2.0.html)
[](https://www.cncf.io/projects/)
-[](https://www.bestpractices.dev/)
[**公式サイト**](https://higress.cn/) |
[**ドキュメント**](https://higress.cn/docs/latest/overview/what-is-higress/) |
diff --git a/README_ZH.md b/README_ZH.md
index b6e56912f..c7b524241 100644
--- a/README_ZH.md
+++ b/README_ZH.md
@@ -11,7 +11,6 @@
[](https://github.com/alibaba/higress/actions)
[](https://www.apache.org/licenses/LICENSE-2.0.html)
[](https://www.cncf.io/projects/)
-[](https://www.bestpractices.dev/)
diff --git a/SECURITY.md b/SECURITY.md
index d643ca19b..123d56692 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,15 +1,85 @@
# Security Policy
+The Higress team takes security seriously. We appreciate your efforts to
+responsibly disclose your findings and will make every effort to acknowledge
+your contributions.
+
## Supported Versions
| Version | Supported |
| ------- | ------------------ |
| 2.x.x | :white_check_mark: |
| 1.x.x | :white_check_mark: |
-| < 1.0.0 | :x: |
+| < 1.0.0 | :x: |
## Reporting a Vulnerability
-Please report any security issue or Higress crash report to [ASRC](https://security.alibaba.com/)(Alibaba Security Response Center) where the issue will be triaged appropriately.
+**Please do NOT report security vulnerabilities through public GitHub issues,
+discussions, or pull requests.**
-Thank you in advance for helping to keep Higress secure.
+Instead, please report them through one of the following private channels:
+
+- **GitHub Private Security Advisory**:
+
+- **Email**: [higress@googlegroups.com](mailto:higress@googlegroups.com)
+
+Please include as much of the following information as possible to help us
+triage and address the issue:
+
+- Type of issue (e.g., buffer overflow, injection, privilege escalation, etc.)
+- Full paths of source file(s) related to the issue (if known)
+- Step-by-step instructions to reproduce the issue
+- Proof-of-concept or exploit code (if possible)
+- Impact of the issue, including how an attacker might exploit it
+- Any suggested fix or mitigation (if available)
+
+## Response Process
+
+The Higress security team will follow these steps upon receiving a report:
+
+1. **Acknowledgement**: We will acknowledge receipt of your report within
+ **3 business days**.
+2. **Triage**: We will evaluate the report, confirm the vulnerability, and
+ determine its severity and impact within **14 days**.
+3. **Fix Development**: We will develop a fix and coordinate with you on an
+ appropriate disclosure timeline.
+4. **Disclosure**: We will publish a security advisory via
+ [GitHub Security Advisories](https://github.com/higress-group/higress/security/advisories)
+ and credit you for the discovery (unless you prefer to remain anonymous).
+
+We aim to resolve critical vulnerabilities as quickly as possible and will
+keep you informed of our progress throughout the process.
+
+## Security Response Team
+
+The Higress security response is handled by the project maintainers listed in
+[`MAINTAINERS.md`](./MAINTAINERS.md). Security reports sent to
+higress@googlegroups.com are received by all current maintainers.
+
+## Disclosure Policy
+
+We follow a coordinated disclosure process:
+
+- We ask reporters to give us a reasonable amount of time to address the issue
+ before any public disclosure.
+- We will work with you to agree on a disclosure timeline, typically **90 days**
+ from the initial report.
+- We will publish security advisories and, where appropriate, request CVE
+ identifiers for confirmed vulnerabilities.
+- We will credit reporters in the advisory unless they request anonymity.
+
+## Security-Related Configuration
+
+For guidance on securely deploying and configuring Higress, please refer to
+the [official documentation](https://higress.cn/en/docs/latest/overview/what-is-higress/).
+Key security features include:
+
+- Built-in WAF protection plugin
+- Authentication plugins (key-auth, hmac-auth, jwt-auth, basic-auth, OIDC)
+- IP/Cookie-based CC protection
+- TLS termination with automatic Let's Encrypt certificate management
+
+---
+
+Higress is a [Cloud Native Computing Foundation](https://www.cncf.io/)
+sandbox project.