updated assessment readme and code-of-conduct (#285)

* updated assessment readme and code-of-conduct * includes feedback by @ultrasaurus, @lumjjb, @rficcaglia
cncf · Nov 13, 2019 · 6a830fff6afe88ce98cb3fe672383c73aea85960 · 6a830ff
1 parent 5a335dd
commit 6a830fff6afe88ce98cb3fe672383c73aea85960
Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/CODE-OF-CONDUCT.md b/CODE-OF-CONDUCT.md
@@ -25,7 +25,7 @@ In keeping with this commitment, we offer the following guidelines:
      outside of the working group.
      * Participate in online forums to be inclusive of those who cannot 
      attend meetings.
-
+   * Work performed within this group, either finalized or in draft, is to be used in accordance with the group [Mission and Charter](https://github.com/cncf/sig-security/blob/master/governance/charter.md), the open source license, and to be used for the equal benefit of all members of the community.  Further information on use of work may be found in [Security Assessments: Outcome](https://github.com/cncf/sig-security/tree/master/assessments#outcome)
 
 # Inspiration
 

diff --git a/assessments/README.md b/assessments/README.md
@@ -33,6 +33,10 @@ Each project's security assessment shall include a description of:
 
 Due to the nature and timeframe for the analysis, *this review is not meant to subsume the need for a professional security audit of the code*.  Audits of implementation-specific vulnerabilities, improper deployment configuration, etc. are not in scope of a security assessment.  A security assessmet is intended to uncover design and configuration flaws and to obtain a clear, comprehensive articulation of the project's design goals and aspirations while documenting the intended security properties enforced, fulfilled, or executed by said project.
 
+Finalized assessments may be used by the community to assist in contextual evaluation of a  project but are not an endorsement of the security of the project, not a security audit of the project, and do not relieve an individual or organization from performing due diligence and complying with laws, regulations, and policies.
+
+Draft assessments contain *unconfirmed* content and are not endorsed as factual until committed to this repository, which requires detailed peer review.  Draft assessments may also contain *speculative* content as the project lead or security reviewer is performing an evaluation.  Draft assessments are *only* for the purpose of preparing final assessment and are **not** to be used in any other capacity by the community.
+
 ## Process
 
 The security assessment is a collaborative process for the benefit of the project and the community, where the primary content is generated by the [project lead](guide/project-lead.md) and revised based on feedback from [security reviewers](guide/security-reviewer.md) and other members of the SIG.