diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md index 8f514c07d..c2a04bd8a 100644 --- a/CODE_OF_CONDUCT.md +++ b/CODE_OF_CONDUCT.md @@ -9,10 +9,12 @@ The text below is the project's adopted Code of Conduct, based on the substantively aligned with the CNCF Code of Conduct. Where any conflict exists, the CNCF Code of Conduct prevails. -Instances of unacceptable behavior may be reported to the project maintainers -at [higress@googlegroups.com](mailto:higress@googlegroups.com), or to the CNCF -Code of Conduct Committee at -[conduct@cncf.io](mailto:conduct@cncf.io). +Instances of unacceptable behavior may be reported to the CNCF Code of +Conduct Committee at [conduct@cncf.io](mailto:conduct@cncf.io). For more +detailed instructions on how to submit a report, including how to submit a +report anonymously, please see the CNCF +[Incident Resolution Procedures](https://github.com/cncf/foundation/blob/main/code-of-conduct/coc-incident-resolution-procedures.md). +You can expect a response within three business days. --- @@ -73,7 +75,8 @@ further defined and clarified by project maintainers. ## Enforcement Instances of abusive, harassing, or otherwise unacceptable behavior may be -reported by contacting the project team at higress@googlegroups.com. All +reported by contacting the CNCF Code of Conduct Committee at +[conduct@cncf.io](mailto:conduct@cncf.io). All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. diff --git a/SECURITY.md b/SECURITY.md index ab34736f5..7080c74dc 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -17,17 +17,12 @@ your contributions. **Please do NOT report security vulnerabilities through public GitHub issues, discussions, or pull requests.** -Instead, please report them through one of the following private channels -(choose either one): +Instead, please report them through **both** of the following private channels: -- **GitHub Private Security Advisory**: - -- **Email**: [higress@googlegroups.com](mailto:higress@googlegroups.com) - -In addition, we recommend also reporting the vulnerability to the -[Alibaba Security Response Center (ASRC)](https://security.alibaba.com/), -as Higress is widely deployed on Alibaba Cloud infrastructure. Reporting to -ASRC helps ensure timely patching for cloud-hosted deployments. +1. **GitHub Private Security Advisory**: + +2. **Alibaba Security Response Center (ASRC)**: + Please include as much of the following information as possible to help us triage and address the issue: @@ -59,8 +54,8 @@ keep you informed of our progress throughout the process. ## Security Response Team The Higress security response is handled by the project maintainers listed in -[`MAINTAINERS.md`](./MAINTAINERS.md). Security reports sent to -higress@googlegroups.com are received by all current maintainers. +[`MAINTAINERS.md`](./MAINTAINERS.md). Security reports submitted via GitHub +Private Security Advisory are visible to all current maintainers. ## Disclosure Policy