From 9b9f6b900a9cff32ec6aef2f9fdc5b6e86a38f7d Mon Sep 17 00:00:00 2001
From: EndlessSeeker <153817598+EndlessSeeker@users.noreply.github.com>
Date: Tue, 28 Apr 2026 17:28:26 +0800
Subject: [PATCH] docs: update SECURITY.md, CONTRIBUTING docs for CNCF/OpenSSF
compliance (#3764)
Signed-off-by: EndlessSeeker <1766508902@qq.com>
---
CODE_OF_CONDUCT.md | 25 +++++++++++++--
CONTRIBUTING_CN.md | 16 +++++++---
CONTRIBUTING_EN.md | 17 +++++++---
CONTRIBUTING_JP.md | 17 +++++++---
GOVERNANCE.md | 50 ++++++++++++++++++++++++++++++
README.md | 37 ++++++++++++++++++++++
README_JP.md | 35 +++++++++++++++++++++
README_ZH.md | 32 +++++++++++++++++++
SECURITY.md | 77 ++++++++++++++++++++++++++++++++++++++++++++--
9 files changed, 289 insertions(+), 17 deletions(-)
create mode 100644 GOVERNANCE.md
diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md
index d6b6be290..c2a04bd8a 100644
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -1,4 +1,24 @@
-# Contributor Covenant Code of Conduct
+# Higress Code of Conduct
+
+Higress is a [Cloud Native Computing Foundation](https://www.cncf.io/) sandbox
+project. As a CNCF project, the Higress community follows the
+[**CNCF Code of Conduct**](https://github.com/cncf/foundation/blob/main/code-of-conduct.md).
+
+The text below is the project's adopted Code of Conduct, based on the
+[Contributor Covenant](https://www.contributor-covenant.org/), and is
+substantively aligned with the CNCF Code of Conduct. Where any conflict exists,
+the CNCF Code of Conduct prevails.
+
+Instances of unacceptable behavior may be reported to the CNCF Code of
+Conduct Committee at [conduct@cncf.io](mailto:conduct@cncf.io). For more
+detailed instructions on how to submit a report, including how to submit a
+report anonymously, please see the CNCF
+[Incident Resolution Procedures](https://github.com/cncf/foundation/blob/main/code-of-conduct/coc-incident-resolution-procedures.md).
+You can expect a response within three business days.
+
+---
+
+## Contributor Covenant Code of Conduct
## Our Pledge
@@ -55,7 +75,8 @@ further defined and clarified by project maintainers.
## Enforcement
Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported by contacting the project team at higress@googlegroups.com. All
+reported by contacting the CNCF Code of Conduct Committee at
+[conduct@cncf.io](mailto:conduct@cncf.io). All
complaints will be reviewed and investigated and will result in a response that
is deemed necessary and appropriate to the circumstances. The project team is
obligated to maintain confidentiality with regard to the reporter of an incident.
diff --git a/CONTRIBUTING_CN.md b/CONTRIBUTING_CN.md
index 47700d78b..d673ab1e2 100644
--- a/CONTRIBUTING_CN.md
+++ b/CONTRIBUTING_CN.md
@@ -23,7 +23,7 @@
## 报告安全问题
-安全问题总是得到认真对待。作为我们通常的原则,我们不鼓励任何人传播安全问题。如果您发现Higress的安全问题,请不要公开讨论,甚至不要公开问题。相反,我们鼓励您向 [higress@googlegroups.com](mailto:higress@googlegroups.com) 发送私人电子邮件 以报告此情况。
+安全问题总是得到认真对待。作为我们通常的原则,我们不鼓励任何人传播安全问题。如果您发现 Higress 的安全问题,请不要公开讨论,甚至不要公开 issue。请按照 [`SECURITY.md`](./SECURITY.md) 中描述的流程私密报告漏洞。
## 报告一般问题
@@ -204,10 +204,18 @@ make prebuild && go mod tidy
任何测试用例都会受到欢迎。目前,Higress 功能测试用例是高优先级的。
-* 对于单元测试,您需要在同一模块的 test 目录中创建一个名为 xxxTest.go 的测试文件。
+### 新功能的测试要求
-* 对于集成测试,您可以将集成测试放在 test 目录。
-//TBD
+- **新 Wasm 插件**:必须包含单元测试,代码覆盖率不低于 30%(CI 强制检查)。
+- **新核心功能**:应包含单元测试,适用时还应添加 E2E 一致性测试用例。
+- **Bug 修复**:应包含能复现该 Bug 的回归测试。
+- **Patch 覆盖率**:新增或修改的代码必须达到 50% 的覆盖率(由 Codecov 通过 `codecov.yml` 强制检查)。
+
+### 如何编写测试
+
+* 对于单元测试,在同一模块的 test 目录中创建一个名为 `xxxTest.go` 的测试文件。
+* 对于集成测试,将集成测试放在 test 目录。
+* 对于 Wasm 插件 E2E 测试,在 `test/e2e/conformance/tests/` 中添加测试用例。详见 [test/README.md](./test/README.md)。
## 参与帮助任何事情
diff --git a/CONTRIBUTING_EN.md b/CONTRIBUTING_EN.md
index 5df39db4c..408e6be59 100644
--- a/CONTRIBUTING_EN.md
+++ b/CONTRIBUTING_EN.md
@@ -23,7 +23,7 @@ Your interest in contributing to Higress is warmly welcomed. First, we encourage
## Reporting security issues
-Security issues are always treated seriously. As our usual principle, we discourage anyone to spread security issues. If you find a security issue of Higress, please do not discuss it in public and even do not open a public issue. Instead we encourage you to send us a private email to [higress@googlegroups.com](mailto:higress@googlegroups.com) to report this.
+Security issues are always treated seriously. As our usual principle, we discourage anyone to spread security issues. If you find a security issue of Higress, please do not discuss it in public and even do not open a public issue. Instead please follow the process described in [`SECURITY.md`](./SECURITY.md) to report vulnerabilities privately.
## Reporting general issues
@@ -204,9 +204,18 @@ make prebuild && go mod tidy
Any test case would be welcomed. Currently, Higress function test cases are high priority.
-* For unit test, you need to create a test file named `xxxTest.go` in the test directory of the same module.
-* For integration test, you can put the integration test in the test directory.
-//TBD
+### Test requirements for new functionality
+
+- **New Wasm plugins**: MUST include unit tests with at least 30% code coverage (enforced by CI).
+- **New core features**: SHOULD include unit tests and, where applicable, E2E conformance test cases.
+- **Bug fixes**: SHOULD include a regression test that reproduces the bug.
+- **Patch coverage**: New or changed code must meet a 50% coverage target for the patch (enforced by Codecov via `codecov.yml`).
+
+### How to write tests
+
+* For unit tests, create a test file named `xxxTest.go` in the test directory of the same module.
+* For integration tests, you can put the integration test in the test directory.
+* For Wasm plugin E2E tests, add test cases in `test/e2e/conformance/tests/`. See [test/README.md](./test/README.md) for details.
## Engage to help anything
We choose GitHub as the primary place for Higress to collaborate. So the latest updates of Higress are always here. Although contributions via PR is an explicit way to help, we still call for any other ways.
diff --git a/CONTRIBUTING_JP.md b/CONTRIBUTING_JP.md
index 5541a5220..699d887ec 100644
--- a/CONTRIBUTING_JP.md
+++ b/CONTRIBUTING_JP.md
@@ -23,7 +23,7 @@ Higress のハッキングに興味がある場合は、温かく歓迎します
## セキュリティ問題の報告
-セキュリティ問題は常に真剣に扱われます。通常の原則として、セキュリティ問題を広めることは推奨しません。Higress のセキュリティ問題を発見した場合は、公開で議論せず、公開の問題を開かないでください。代わりに、[higress@googlegroups.com](mailto:higress@googlegroups.com) にプライベートなメールを送信して報告することをお勧めします。
+セキュリティ問題は常に真剣に扱われます。通常の原則として、セキュリティ問題を広めることは推奨しません。Higress のセキュリティ問題を発見した場合は、公開で議論せず、公開の issue を開かないでください。[`SECURITY.md`](./SECURITY.md) に記載されたプロセスに従って、脆弱性を非公開で報告してください。
## 一般的な問題の報告
@@ -199,9 +199,18 @@ make prebuild && go mod tidy
テストケースは歓迎されます。現在、Higress の機能テストケースが高優先度です。
-* 単体テストの場合、同じモジュールの test ディレクトリに xxxTest.go という名前のテストファイルを作成する必要があります。
-* 統合テストの場合、統合テストを test ディレクトリに配置できます。
-//TBD
+### 新機能のテスト要件
+
+- **新しい Wasm プラグイン**:30% 以上のコードカバレッジを持つユニットテストを含める必要があります(CI で強制チェック)。
+- **新しいコア機能**:ユニットテストを含めるべきであり、該当する場合は E2E コンフォーマンステストケースも追加すべきです。
+- **バグ修正**:バグを再現する回帰テストを含めるべきです。
+- **パッチカバレッジ**:新規または変更されたコードは 50% のカバレッジ目標を満たす必要があります(Codecov が `codecov.yml` を通じて強制チェック)。
+
+### テストの書き方
+
+* ユニットテストの場合、同じモジュールの test ディレクトリに `xxxTest.go` という名前のテストファイルを作成します。
+* 統合テストの場合、統合テストを test ディレクトリに配置します。
+* Wasm プラグイン E2E テストの場合、`test/e2e/conformance/tests/` にテストケースを追加します。詳細は [test/README.md](./test/README.md) を参照してください。
## 何かを手伝うための参加
diff --git a/GOVERNANCE.md b/GOVERNANCE.md
new file mode 100644
index 000000000..77404d840
--- /dev/null
+++ b/GOVERNANCE.md
@@ -0,0 +1,50 @@
+# Higress Governance
+
+Higress is a [Cloud Native Computing Foundation (CNCF)](https://www.cncf.io/)
+sandbox project. This document describes the project's open governance model.
+
+All community members must follow the
+[**CNCF Code of Conduct**](https://github.com/cncf/foundation/blob/main/code-of-conduct.md)
+and the project's adopted policy in [`CODE_OF_CONDUCT.md`](./CODE_OF_CONDUCT.md).
+
+## Values
+
+Higress governance is guided by the following values:
+
+- **Openness**: Communication and decision making happen in public channels and repositories whenever possible.
+- **Fairness**: Contributions are evaluated on technical merit rather than company affiliation.
+- **Community First**: Long-term community health has priority over short-term product goals.
+- **Inclusivity**: We welcome contributors from different regions and backgrounds.
+- **Participation**: Project responsibilities are earned through sustained contribution.
+
+## Roles
+
+Higress role definitions are documented in:
+
+- [`MAINTAINERS.md`](./MAINTAINERS.md)
+- [`CODEOWNERS`](./CODEOWNERS)
+- [`CONTRIBUTING_EN.md`](./CONTRIBUTING_EN.md)
+
+## Decision Making
+
+Higress uses **lazy consensus** by default.
+
+When consensus cannot be reached, maintainers may start a vote on a public
+issue or pull request. A simple majority of votes cast decides the outcome.
+
+For governance or project direction changes, maintainers should allow adequate
+time for public discussion before finalizing decisions.
+
+## Governance Updates
+
+Changes to this document are made through pull requests and approved by
+maintainers.
+
+## Security
+
+Security reporting and response follow [`SECURITY.md`](./SECURITY.md).
+
+---
+
+Higress is a [Cloud Native Computing Foundation](https://www.cncf.io/) sandbox
+project.
diff --git a/README.md b/README.md
index 7b8aa288d..0a23c7815 100644
--- a/README.md
+++ b/README.md
@@ -11,6 +11,7 @@
[](https://github.com/alibaba/higress/actions)
[](https://www.apache.org/licenses/LICENSE-2.0.html)
[](https://discord.gg/tSbww9VDaM)
+[](https://www.cncf.io/projects/)
@@ -183,6 +184,25 @@ Join our Discord community! This is where you can connect with developers and ot
[](https://discord.gg/tSbww9VDaM)
+### Code of Conduct
+
+The Higress community follows the
+[**CNCF Code of Conduct**](https://github.com/cncf/foundation/blob/main/code-of-conduct.md).
+The project's adopted Code of Conduct is documented in
+[`CODE_OF_CONDUCT.md`](./CODE_OF_CONDUCT.md). Please review it before
+participating in the community.
+
+### Governance & Maintainers
+
+Project governance, the maintainer roster, and the contribution model are
+described in [`GOVERNANCE.md`](./GOVERNANCE.md) and
+[`MAINTAINERS.md`](./MAINTAINERS.md). New contributors are encouraged to start
+with [`CONTRIBUTING_EN.md`](./CONTRIBUTING_EN.md).
+
+### Security
+
+Please report security vulnerabilities following the process described in
+[`SECURITY.md`](./SECURITY.md).
### Thanks
@@ -205,6 +225,23 @@ Higress would not be possible without the valuable open-source work of projects
[](https://star-history.com/#alibaba/higress&Date)
+---
+
+## Cloud Native Computing Foundation
+
+
+ 
+
+
+We are a [Cloud Native Computing Foundation](https://www.cncf.io/) sandbox project.
+
+The Linux Foundation® (TLF) has registered trademarks and uses trademarks. For
+a list of TLF trademarks, see [Trademark Usage](https://www.linuxfoundation.org/legal/trademark-usage).
+
+Copyright Higress a Series of LF Projects, LLC. For website terms of use,
+trademark policy and other project policies please see
+[https://lfprojects.org/policies/](https://lfprojects.org/policies/).
+
↑ Back to Top ↑
diff --git a/README_JP.md b/README_JP.md
index e173d7318..6243bed77 100644
--- a/README_JP.md
+++ b/README_JP.md
@@ -8,6 +8,7 @@
[](https://github.com/alibaba/higress/actions)
[](https://www.apache.org/licenses/LICENSE-2.0.html)
+[](https://www.cncf.io/projects/)
[**公式サイト**](https://higress.cn/) |
[**ドキュメント**](https://higress.cn/docs/latest/overview/what-is-higress/) |
@@ -190,6 +191,23 @@ K8sでのHelmデプロイなどの他のインストール方法については
## コミュニティ
+### 行動規範(Code of Conduct)
+
+Higress コミュニティは
+[**CNCF Code of Conduct**](https://github.com/cncf/foundation/blob/main/code-of-conduct.md)
+に従っています。プロジェクトが採用している行動規範は
+[`CODE_OF_CONDUCT.md`](./CODE_OF_CONDUCT.md) に記載されていますので、コミュニティに参加する前にご確認ください。
+
+### ガバナンスとメンテナー
+
+プロジェクトのガバナンス、メンテナー一覧、コントリビューションモデルについては
+[`GOVERNANCE.md`](./GOVERNANCE.md) と [`MAINTAINERS.md`](./MAINTAINERS.md) を参照してください。
+初めて貢献される方は [`CONTRIBUTING_EN.md`](./CONTRIBUTING_EN.md) からお読みください。
+
+### セキュリティ
+
+セキュリティに関する脆弱性は [`SECURITY.md`](./SECURITY.md) に記載された手順に従って報告してください。
+
### 感謝
EnvoyとIstioのオープンソースの取り組みがなければ、Higressは実現できませんでした。これらのプロジェクトに最も誠実な敬意を表します。
@@ -221,6 +239,23 @@ WeChat公式アカウント:
[](https://star-history.com/#alibaba/higress&Date)
+---
+
+## Cloud Native Computing Foundation
+
+
+
+
+
+Higress は [Cloud Native Computing Foundation](https://www.cncf.io/) のサンドボックスプロジェクトです。
+
+The Linux Foundation® (TLF) は登録商標を所有し使用しています。LF の商標一覧については
+[Trademark Usage](https://www.linuxfoundation.org/legal/trademark-usage) をご参照ください。
+
+Copyright Higress a Series of LF Projects, LLC. ウェブサイトの利用規約、商標ポリシー、
+その他のプロジェクトポリシーについては
+[https://lfprojects.org/policies/](https://lfprojects.org/policies/) をご参照ください。
+
↑ トップに戻る ↑
diff --git a/README_ZH.md b/README_ZH.md
index ca48bdf6b..c7b524241 100644
--- a/README_ZH.md
+++ b/README_ZH.md
@@ -10,6 +10,7 @@
[](https://github.com/alibaba/higress/actions)
[](https://www.apache.org/licenses/LICENSE-2.0.html)
+[](https://www.cncf.io/projects/)
@@ -221,6 +222,21 @@ K8s 下使用 Helm 部署等其他安装方式可以参考官网 [Quick Start
## 社区
+### 行为准则(Code of Conduct)
+
+Higress 社区遵循 [**CNCF Code of Conduct**](https://github.com/cncf/foundation/blob/main/code-of-conduct.md)。
+项目采纳的行为准则详见 [`CODE_OF_CONDUCT.md`](./CODE_OF_CONDUCT.md),参与社区前请先阅读。
+
+### 治理与维护者
+
+项目治理、维护者名单与贡献模型分别记录于 [`GOVERNANCE.md`](./GOVERNANCE.md) 与
+[`MAINTAINERS.md`](./MAINTAINERS.md),新贡献者请先查阅
+[`CONTRIBUTING_CN.md`](./CONTRIBUTING_CN.md)。
+
+### 安全
+
+如发现安全漏洞,请按照 [`SECURITY.md`](./SECURITY.md) 中的流程进行报告。
+
### 感谢
如果没有 Envoy 和 Istio 的开源工作,Higress 就不可能实现,在这里向这两个项目献上最诚挚的敬意。
@@ -252,6 +268,22 @@ K8s 下使用 Helm 部署等其他安装方式可以参考官网 [Quick Start
[](https://star-history.com/#alibaba/higress&Date)
+---
+
+## 云原生计算基金会(CNCF)
+
+
+
+
+
+Higress 是 [Cloud Native Computing Foundation](https://www.cncf.io/) 的沙箱(Sandbox)项目。
+
+The Linux Foundation® (TLF) 拥有相关注册商标并对其加以使用。完整的 LF 商标清单见
+[Trademark Usage](https://www.linuxfoundation.org/legal/trademark-usage)。
+
+Copyright Higress a Series of LF Projects, LLC. 项目相关的网站使用条款、商标策略及其他政策,
+请参见 [https://lfprojects.org/policies/](https://lfprojects.org/policies/)。
+
↑ 返回顶部 ↑
diff --git a/SECURITY.md b/SECURITY.md
index d643ca19b..7080c74dc 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,15 +1,86 @@
# Security Policy
+The Higress team takes security seriously. We appreciate your efforts to
+responsibly disclose your findings and will make every effort to acknowledge
+your contributions.
+
## Supported Versions
| Version | Supported |
| ------- | ------------------ |
| 2.x.x | :white_check_mark: |
| 1.x.x | :white_check_mark: |
-| < 1.0.0 | :x: |
+| < 1.0.0 | :x: |
## Reporting a Vulnerability
-Please report any security issue or Higress crash report to [ASRC](https://security.alibaba.com/)(Alibaba Security Response Center) where the issue will be triaged appropriately.
+**Please do NOT report security vulnerabilities through public GitHub issues,
+discussions, or pull requests.**
-Thank you in advance for helping to keep Higress secure.
+Instead, please report them through **both** of the following private channels:
+
+1. **GitHub Private Security Advisory**:
+
+2. **Alibaba Security Response Center (ASRC)**:
+
+
+Please include as much of the following information as possible to help us
+triage and address the issue:
+
+- Type of issue (e.g., buffer overflow, injection, privilege escalation, etc.)
+- Full paths of source file(s) related to the issue (if known)
+- Step-by-step instructions to reproduce the issue
+- Proof-of-concept or exploit code (if possible)
+- Impact of the issue, including how an attacker might exploit it
+- Any suggested fix or mitigation (if available)
+
+## Response Process
+
+The Higress security team will follow these steps upon receiving a report:
+
+1. **Acknowledgement**: We will acknowledge receipt of your report within
+ **3 business days**.
+2. **Triage**: We will evaluate the report, confirm the vulnerability, and
+ determine its severity and impact within **14 days**.
+3. **Fix Development**: We will develop a fix and coordinate with you on an
+ appropriate disclosure timeline.
+4. **Disclosure**: We will publish a security advisory via
+ [GitHub Security Advisories](https://github.com/higress-group/higress/security/advisories)
+ and credit you for the discovery (unless you prefer to remain anonymous).
+
+We aim to resolve critical vulnerabilities as quickly as possible and will
+keep you informed of our progress throughout the process.
+
+## Security Response Team
+
+The Higress security response is handled by the project maintainers listed in
+[`MAINTAINERS.md`](./MAINTAINERS.md). Security reports submitted via GitHub
+Private Security Advisory are visible to all current maintainers.
+
+## Disclosure Policy
+
+We follow a coordinated disclosure process:
+
+- We ask reporters to give us a reasonable amount of time to address the issue
+ before any public disclosure.
+- We will work with you to agree on a disclosure timeline, typically **90 days**
+ from the initial report.
+- We will publish security advisories and, where appropriate, request CVE
+ identifiers for confirmed vulnerabilities.
+- We will credit reporters in the advisory unless they request anonymity.
+
+## Security-Related Configuration
+
+For guidance on securely deploying and configuring Higress, please refer to
+the [official documentation](https://higress.cn/en/docs/latest/overview/what-is-higress/).
+Key security features include:
+
+- Built-in WAF protection plugin
+- Authentication plugins (key-auth, hmac-auth, jwt-auth, basic-auth, OIDC)
+- IP/Cookie-based CC protection
+- TLS termination with automatic Let's Encrypt certificate management
+
+---
+
+Higress is a [Cloud Native Computing Foundation](https://www.cncf.io/)
+sandbox project.