docs: update SECURITY.md and CODE_OF_CONDUCT.md reporting channels

- SECURITY.md: require reporting to both GitHub Private Security Advisory and ASRC, remove email channel - CODE_OF_CONDUCT.md: unify reporting to CNCF CoC Committee (conduct@cncf.io), add reference to CNCF Incident Resolution Procedures Change-Id: I771880e9c488247f015dda4ecb0dac95be29fef1 Co-developed-by: Kiro <noreply@kiro.dev> Signed-off-by: EndlessSeeker <1766508902@qq.com>
2026-05-23 04:07:26 +08:00 · 2026-04-28 16:45:35 +08:00
parent 5b64f2112d
commit fa9c096a7d
2 changed files with 15 additions and 17 deletions
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -9,10 +9,12 @@ The text below is the project's adopted Code of Conduct, based on the
 substantively aligned with the CNCF Code of Conduct. Where any conflict exists,
 the CNCF Code of Conduct prevails.
-Instances of unacceptable behavior may be reported to the project maintainers
+Instances of unacceptable behavior may be reported to the CNCF Code of
-at [higress@googlegroups.com](mailto:higress@googlegroups.com), or to the CNCF
+Conduct Committee at [conduct@cncf.io](mailto:conduct@cncf.io). For more
-Code of Conduct Committee at
+detailed instructions on how to submit a report, including how to submit a
-[conduct@cncf.io](mailto:conduct@cncf.io).
+report anonymously, please see the CNCF
 [Incident Resolution Procedures](https://github.com/cncf/foundation/blob/main/code-of-conduct/coc-incident-resolution-procedures.md).
 You can expect a response within three business days.
 ---
@@ -73,7 +75,8 @@ further defined and clarified by project maintainers.
 ## Enforcement
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported by contacting the project team at higress@googlegroups.com. All
+reported by contacting the CNCF Code of Conduct Committee at
 [conduct@cncf.io](mailto:conduct@cncf.io). All
 complaints will be reviewed and investigated and will result in a response that
 is deemed necessary and appropriate to the circumstances. The project team is
 obligated to maintain confidentiality with regard to the reporter of an incident.
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -17,17 +17,12 @@ your contributions.
 **Please do NOT report security vulnerabilities through public GitHub issues,
 discussions, or pull requests.**
-Instead, please report them through one of the following private channels
+Instead, please report them through **both** of the following private channels:
 (choose either one):
- **GitHub Private Security Advisory**:
+1. **GitHub Private Security Advisory**:
-  <https://github.com/higress-group/higress/security/advisories/new>
+   <https://github.com/higress-group/higress/security/advisories/new>
- **Email**: [higress@googlegroups.com](mailto:higress@googlegroups.com)
+2. **Alibaba Security Response Center (ASRC)**:
-
+   <https://security.alibaba.com/>
 In addition, we recommend also reporting the vulnerability to the
 [Alibaba Security Response Center (ASRC)](https://security.alibaba.com/),
 as Higress is widely deployed on Alibaba Cloud infrastructure. Reporting to
 ASRC helps ensure timely patching for cloud-hosted deployments.
 Please include as much of the following information as possible to help us
 triage and address the issue:
@@ -59,8 +54,8 @@ keep you informed of our progress throughout the process.
 ## Security Response Team
 The Higress security response is handled by the project maintainers listed in
-[`MAINTAINERS.md`](./MAINTAINERS.md). Security reports sent to
+[`MAINTAINERS.md`](./MAINTAINERS.md). Security reports submitted via GitHub
-higress@googlegroups.com are received by all current maintainers.
+Private Security Advisory are visible to all current maintainers.
 ## Disclosure Policy