Add contribution and security guidelines

avvertix · avvertix · commit fab584a99a26 · 2020-11-13T12:20:56.000+01:00
diff --git a/CLA.md b/CLA.md
@@ -0,0 +1,31 @@
+# Contributor License Agreement
+
+If you are an employee and have created the contribution as part of your employment,
+you need to have your employer approve this agreement.
+If you do not own the copyright in the entire work of authorship,
+any other author of the contribution also needs to sign this.
+
+## Copyright License
+
+You hereby grant to Oneoff-tech UG, the maintainer of _Connect Identity for Laravel_,
+a worldwide, royalty-free, non-exclusive, perpetual and irrevocable license,
+with the right to transfer an unlimited number of non-exclusive licenses
+or to grant sublicenses to third parties, under the copyright covering the contribution
+to use the contribution by all means, including, but not limited to:
+
+* publish the contribution,
+* modify the contribution,
+* prepare derivative works based upon or containing the contribution
+  and/or to combine the contribution with other materials,
+* reproduce the contribution in original or modified form,
+* distribute, to make the contribution available to the public, display
+  and publicly perform the contribution in original or modified form.
+
+## Free Software Pledge
+
+We agree to irrevocably (sub)license the contribution
+or any materials containing, based on or derived from your contribution
+under the terms of any licenses
+the Free Software Foundation classifies as [Free Software licenses](https://www.gnu.org/licenses/license-list.html)
+and which are approved by the Open Source Initiative as [Open Source licenses](http://opensource.org/licenses).
+See the [LICENSE](./LICENSE) file, for the current license used.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -0,0 +1,49 @@
+# How to contribute to Connect Identity for Laravel
+
+All Contributions to this project are most welcome, and can take many forms such as detailed bug reports, documentation, tests, features and patches. 
+Note that all contributions are managed by [OneOffTech](https://www.oneofftech.xyz), which can decide on the acceptance of the contribution.
+
+
+## Bugs reports
+
+To encourage active collaboration, we strongly encourages pull requests, not just bug reports. "Bug reports" may also be sent in the form of a pull request containing a failing test.
+
+However, if you file a bug report, should be as [GitHub issue](https://github.com/OneOffTech/laravel-connect-identity/issues) and should contain a title and a clear description of the problem. You should also include as much relevant information as possible and a code sample that demonstrates the issue. The goal of a bug report is to make it easy for yourself - and others - to replicate the bug and develop a fix.
+
+For security issues please refer to our [Security policy](./SECURITY.md).
+
+## Support Questions
+
+If you need help feel free to create a GitHub issue labeled **Question**. We will try to reply as fast as we can, but
+don't expect a same day reply.
+
+For security issues please refer to our [Security policy](./SECURITY.md).
+
+## Development
+
+Contributions are managed via GitHub [pull requests](https://github.com/OneOffTech/laravel-connect-identity/pulls). 
+
+To prepare one: 
+
+- [fork the Connect Identity for Laravel](https://github.com/OneOffTech/laravel-connect-identity/fork) into your own GitHub repository;
+- Base your branch on the `master` branch;
+- Always make a new branch for your work, no matter how small. This makes it easy for others to take just that one set of changes from your repository, in case you have multiple unrelated changes floating around;
+ - A corollary: don’t submit unrelated changes in the same branch/pull request! The maintainer shouldn’t have to reject your awesome bugfix because the feature you put in with it needs more review;
+- Add unit tests;
+- Run `./vendor/bin/php-cs-fixer fix` to ensure the coding standard policies are applied.
+
+Then you'll be able to commit and push your work. Once you are done, Github allows you to create a pull request and propose your changes to the original repository. Make sure you target your pull request to the `master` branch and cite the respective issue if present.
+
+
+## Documentation
+
+Documentation is located in the [readme.md](./README.md) file. 
+We hope it will get big enough to require a `docs` folder.
+
+Any contribution on improving the documentation is highly appreciated and a good way to become a welcomed contributor.
+
+## Contributor License Agreement
+
+The [Contributor License Agreement](./CLA.md) specifies the way how copyright of your contribution is handled. Please include in the comment on your pull request a statement like the following:
+
+> I'd like to contribute `feature X|bugfix Y|docs|something else` to Connect Identity for Laravel. I confirm that my contributions to Connect Identity for Laravel will be compatible with the Connect Identity for Laravel Contributor License Agreement at the time of contribution.
diff --git a/README.md b/README.md
@@ -1,5 +1,5 @@
 
-# Laravel Connect Identity
+# Connect Identity for Laravel
 
 ![CI](https://github.com/OneOffTech/laravel-connect-identity/workflows/CI/badge.svg)
 
@@ -234,14 +234,17 @@ Here is how sensible data is stored:
 specify your old key inside `OLD_IDENTITY_KEY` to be able to still read encrypted values.
 
 > **Warning** as of now no automated job is available for re-encrypting data with the new key. 
-This operation happens during a login or a registration process as part of the token update.
+This operation happens during registration or while connecting an identity as part of the token update.
 
 
 ## Contributing
 
-All types of contribution are accepted, bug-fix, documentation updates, new features!
+Thank you for considering contributing to the Connect Identity for Laravel! 
+You can find how to get started in our [contribution guide](./CONTRIBUTING.md).
 
-We will have a contributing page soon, but meanwhile you can submit Pull Requests.
+## Security Vulnerabilities
+
+Please review our [security policy](./SECURITY.md) on how to report security vulnerabilities.
 
 ## License
 
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,20 @@
+# Security Policy
+
+**PLEASE DON'T DISCLOSE SECURITY-RELATED ISSUES PUBLICLY, [SEE BELOW](#reporting-a-vulnerability).**
+
+## Supported Versions
+
+Bug and security fixes are supported only for the latest major version.
+
+Backport of security fixes for older major versions are decided on a
+case-by-case basis that takes into account the Laravel framework 
+support policy, the currently supported Laravel versions within
+the library and the installation on that version.
+
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability within Connect Identity for Laravel, 
+please send an email to OneOff-Tech security team at security@oneofftech.xyz. 
+
+All security vulnerabilities will be promptly addressed.
