Skip to content
Permalink
Browse files
updated assessment readme and code-of-conduct (#285)
* updated assessment readme and code-of-conduct
* includes feedback by @ultrasaurus, @lumjjb, @rficcaglia
  • Loading branch information
TheFoxAtWork authored and ultrasaurus committed Nov 13, 2019
1 parent 5a335dd commit 6a830fff6afe88ce98cb3fe672383c73aea85960
Showing 2 changed files with 5 additions and 1 deletion.
@@ -25,7 +25,7 @@ In keeping with this commitment, we offer the following guidelines:
outside of the working group.
* Participate in online forums to be inclusive of those who cannot
attend meetings.

* Work performed within this group, either finalized or in draft, is to be used in accordance with the group [Mission and Charter](https://github.com/cncf/sig-security/blob/master/governance/charter.md), the open source license, and to be used for the equal benefit of all members of the community. Further information on use of work may be found in [Security Assessments: Outcome](https://github.com/cncf/sig-security/tree/master/assessments#outcome)

# Inspiration

@@ -33,6 +33,10 @@ Each project's security assessment shall include a description of:

Due to the nature and timeframe for the analysis, *this review is not meant to subsume the need for a professional security audit of the code*. Audits of implementation-specific vulnerabilities, improper deployment configuration, etc. are not in scope of a security assessment. A security assessmet is intended to uncover design and configuration flaws and to obtain a clear, comprehensive articulation of the project's design goals and aspirations while documenting the intended security properties enforced, fulfilled, or executed by said project.

Finalized assessments may be used by the community to assist in contextual evaluation of a project but are not an endorsement of the security of the project, not a security audit of the project, and do not relieve an individual or organization from performing due diligence and complying with laws, regulations, and policies.

Draft assessments contain *unconfirmed* content and are not endorsed as factual until committed to this repository, which requires detailed peer review. Draft assessments may also contain *speculative* content as the project lead or security reviewer is performing an evaluation. Draft assessments are *only* for the purpose of preparing final assessment and are **not** to be used in any other capacity by the community.

## Process

The security assessment is a collaborative process for the benefit of the project and the community, where the primary content is generated by the [project lead](guide/project-lead.md) and revised based on feedback from [security reviewers](guide/security-reviewer.md) and other members of the SIG.

0 comments on commit 6a830ff

Please sign in to comment.