From fa9c096a7d45cfd7fa0f459fe2897b016920d7cc Mon Sep 17 00:00:00 2001 From: EndlessSeeker <1766508902@qq.com> Date: Tue, 28 Apr 2026 16:45:35 +0800 Subject: [PATCH] docs: update SECURITY.md and CODE_OF_CONDUCT.md reporting channels - SECURITY.md: require reporting to both GitHub Private Security Advisory and ASRC, remove email channel - CODE_OF_CONDUCT.md: unify reporting to CNCF CoC Committee (conduct@cncf.io), add reference to CNCF Incident Resolution Procedures Change-Id: I771880e9c488247f015dda4ecb0dac95be29fef1 Co-developed-by: Kiro Signed-off-by: EndlessSeeker <1766508902@qq.com> --- CODE_OF_CONDUCT.md | 13 ++++++++----- SECURITY.md | 19 +++++++------------ 2 files changed, 15 insertions(+), 17 deletions(-) diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md index 8f514c07d..c2a04bd8a 100644 --- a/CODE_OF_CONDUCT.md +++ b/CODE_OF_CONDUCT.md @@ -9,10 +9,12 @@ The text below is the project's adopted Code of Conduct, based on the substantively aligned with the CNCF Code of Conduct. Where any conflict exists, the CNCF Code of Conduct prevails. -Instances of unacceptable behavior may be reported to the project maintainers -at [higress@googlegroups.com](mailto:higress@googlegroups.com), or to the CNCF -Code of Conduct Committee at -[conduct@cncf.io](mailto:conduct@cncf.io). +Instances of unacceptable behavior may be reported to the CNCF Code of +Conduct Committee at [conduct@cncf.io](mailto:conduct@cncf.io). For more +detailed instructions on how to submit a report, including how to submit a +report anonymously, please see the CNCF +[Incident Resolution Procedures](https://github.com/cncf/foundation/blob/main/code-of-conduct/coc-incident-resolution-procedures.md). +You can expect a response within three business days. --- @@ -73,7 +75,8 @@ further defined and clarified by project maintainers. ## Enforcement Instances of abusive, harassing, or otherwise unacceptable behavior may be -reported by contacting the project team at higress@googlegroups.com. All +reported by contacting the CNCF Code of Conduct Committee at +[conduct@cncf.io](mailto:conduct@cncf.io). All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. diff --git a/SECURITY.md b/SECURITY.md index ab34736f5..7080c74dc 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -17,17 +17,12 @@ your contributions. **Please do NOT report security vulnerabilities through public GitHub issues, discussions, or pull requests.** -Instead, please report them through one of the following private channels -(choose either one): +Instead, please report them through **both** of the following private channels: -- **GitHub Private Security Advisory**: - -- **Email**: [higress@googlegroups.com](mailto:higress@googlegroups.com) - -In addition, we recommend also reporting the vulnerability to the -[Alibaba Security Response Center (ASRC)](https://security.alibaba.com/), -as Higress is widely deployed on Alibaba Cloud infrastructure. Reporting to -ASRC helps ensure timely patching for cloud-hosted deployments. +1. **GitHub Private Security Advisory**: + +2. **Alibaba Security Response Center (ASRC)**: + Please include as much of the following information as possible to help us triage and address the issue: @@ -59,8 +54,8 @@ keep you informed of our progress throughout the process. ## Security Response Team The Higress security response is handled by the project maintainers listed in -[`MAINTAINERS.md`](./MAINTAINERS.md). Security reports sent to -higress@googlegroups.com are received by all current maintainers. +[`MAINTAINERS.md`](./MAINTAINERS.md). Security reports submitted via GitHub +Private Security Advisory are visible to all current maintainers. ## Disclosure Policy