Add simple contribution guidelines. #38 (#39)

* Add contribution guidelines. #38 * Flip contriburing/license.
roblillack · Jul 12, 2022 · 6c79d10 · 6c79d10
1 parent 4117ade
commit 6c79d10
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -94,6 +94,14 @@ therefor will not be added to tack.
 - Liquid template support
 - More configuration options
 
+#### Contributing
+
+To report bugs, or to propose new features, please see [the tack bug tracker](https://github.com/roblillack/tack/issues).
+
+If you'd like to contribute, feel free to create a pull request to implement new features or bug-fixes. Ensure that all code has a proper unit test and is written in idiomatic Go.
+
+Regarding security concerns, please see the separate [Security Policy](./SECURITY.md)
+
 #### License
 
 [MIT/X11](https://github.com/roblillack/tack/blob/master/LICENSE).
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,29 @@
+# Security Policy
+
+## What is regarded a security defect?
+
+With tack being a static site generator, naturally the attack surface is very
+low: A static site generator is usually not run in any kind of production
+environment.
+
+Still, we want to ensure that users of the tool can trust it to not break their
+CI or development systems and we therefore regard the following types of defects
+a security issue:
+
+- Writing to the filesystem outside of `SITE/output`
+- Serving data which does not belong to the generated website when running `tack serve`
+
+## Supported Versions
+
+We'll only support the latest major version of tack with security updates. Currently this means:
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 1.2.x   | :white_check_mark: |
+| 1.1.x   | :x:                |
+| 1.0.x   | :x:                |
+| < 1.0   | :x:                |
+
+## Reporting a Vulnerability
+
+Feel free to report security defects using [our bug tracker](https://github.com/roblillack/tack/issues). If you'd rather report a security issue privately, you can do so by sending email to [@roblillack](https://github.com/roblillack): To get to my email address, just add the at sign between my given and family name and finish it of by adding .net!