This is an automated email from the ASF dual-hosted git repository.
dpgaspar pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/superset.git
The following commit(s) were added to refs/heads/master by this push:
new 260d561b9a docs: update security policy and contributing (#25917)
260d561b9a is described below
commit 260d561b9a62332cb51d3b57c5a67ececcd7120e
Author: Daniel Vaz Gaspar <danielvazgas...@gmail.com>
AuthorDate: Wed Nov 22 10:31:32 2023 +0000
docs: update security policy and contributing (#25917)
Co-authored-by: Sam Firke <sfi...@users.noreply.github.com>
---
.github/SECURITY.md | 4 ++--
CONTRIBUTING.md | 45 +++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 47 insertions(+), 2 deletions(-)
diff --git a/.github/SECURITY.md b/.github/SECURITY.md
index f35b9c48f0..086ff8c0ca 100644
--- a/.github/SECURITY.md
+++ b/.github/SECURITY.md
@@ -12,8 +12,8 @@ Apache Software Foundation takes a rigorous standpoint in
annihilating the secur
in its software projects. Apache Superset is highly sensitive and forthcoming
to issues
pertaining to its features and functionality.
If you have any concern or believe you have found a vulnerability in Apache
Superset,
-please get in touch with the Apache Security Team privately at
-e-mail address [secur...@apache.org](mailto:secur...@apache.org).
+please get in touch with the Apache Superset Security Team privately at
+e-mail address
[secur...@superset.apache.org](mailto:secur...@superset.apache.org).
More details can be found on the ASF website at
[ASF vulnerability reporting
process](https://apache.org/security/#reporting-a-vulnerability)
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index d427ba393d..a955f123db 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -180,6 +180,51 @@ See [Translating](#translating) for more details.
There is a dedicated [`apache-superset`
tag](https://stackoverflow.com/questions/tagged/apache-superset) on
[StackOverflow](https://stackoverflow.com/). Please use it when asking
questions.
+## Types of Contributors
+
+Following the project governance model of the Apache Software Foundation
(ASF), Apache Superset has a specific set of contributor roles:
+
+### PMC Member
+
+A Project Management Committee (PMC) member is a person who has been elected
by the PMC to help manage the project. PMC members are responsible for the
overall health of the project, including community development, release
management, and project governance. PMC members are also responsible for the
technical direction of the project.
+
+For more information about Apache Project PMCs, please refer to
https://www.apache.org/foundation/governance/pmcs.html
+
+### Committer
+
+A committer is a person who has been elected by the PMC to have write access
(commit access) to the code repository. They can modify the code,
documentation, and website and accept contributions from others.
+
+The official list of committers and PMC members can be found
[here](https://projects.apache.org/committee.html?superset).
+
+### Contributor
+
+A contributor is a person who has contributed to the project in any way,
including but not limited to code, tests, documentation, issues, and
discussions.
+
+> You can also review the Superset project's guidelines for PMC member
promotion here:
https://github.com/apache/superset/wiki/Guidelines-for-promoting-Superset-Committers-to-the-Superset-PMC
+
+### Security Team
+
+The security team is a selected subset of PMC members, committers and
non-committers who are responsible for handling security issues.
+
+New members of the security team are selected by the PMC members in a vote.
You can request to be added to the team by sending a message to
priv...@superset.apache.org. However, the team should be small and focused on
solving security issues, so the requests will be evaluated on a case-by-case
basis and the team size will be kept relatively small, limited to only actively
security-focused contributors.
+
+This security team must follow the [ASF vulnerability handling
process](https://apache.org/security/committers.html#asf-project-security-for-committers).
+
+Each new security issue is tracked as a JIRA ticket on the [ASF's JIRA
Superset security
project](https://issues.apache.org/jira/secure/RapidBoard.jspa?rapidView=588&projectKey=SUPERSETSEC)
+
+Security team members must:
+
+- Have an [ICLA](https://www.apache.org/licenses/contributor-agreements.html)
signed with Apache Software Foundation.
+- Not reveal information about pending and unfixed security issues to anyone
(including their employers) unless specifically authorised by the security team
members, e.g., if the security team agrees that diagnosing and solving an issue
requires the involvement of external experts.
+
+A release manager, the contributor overseeing the release of a specific
version of Apache Superset, is by default a member of the security team.
However, they are not expected to be active in assessing, discussing, and
fixing security issues.
+
+Security team members should also follow these general expectations:
+
+- Actively participate in assessing, discussing, fixing, and releasing
security issues in Superset.
+- Avoid discussing security fixes in public forums. Pull request (PR)
descriptions should not contain any information about security issues. The
corresponding JIRA ticket should contain a link to the PR.
+- Security team members who contribute to a fix may be listed as remediation
developers in the CVE report, along with their job affiliation (if they choose
to include it).
+
## Pull Request Guidelines
A philosophy we would like to strongly encourage is
