Merge branch 'develop' into develop-safe-harbor-v1

Author: mattaereal

README.md

@@ -1,28 +1,38 @@
 # Security Frameworks content repository
 
-Official repository to the Security Frameworks by SEAL. This repository contains the entire
-structure and contents of the frameworks. Feel free to suggest from new categories to grammar
-corrections. Collaboration is open to everyone. **This is a work in progress.**
+Official repository to the Security Frameworks by SEAL. This repository contains the entire structure and contents of the frameworks. Feel free to suggest from new categories to grammar corrections. Collaboration is open to everyone. **This is a work in progress.**
 
-If you want to know more about the frameworks or take a peek at the live book go to the following
-branches below: [Main](https://seal-frameworks.vercel.app/),
-[Development](https://frameworks-git-develop-seal-frameworks.vercel.app/?_vercel_share=zOI0Q3riUfDv1Lq1IylFz2hXQzYPcmLp).
-
-Production will be at [frameworks.securityalliance.org](https://frameworks.securityalliance.org),
-but not yet available.
+If you want to know more about the frameworks or take a peek at the live book go to the following branches: [Main](frameworks.securityalliance.org), [Development](frameworks.securityalliance.dev).
 
 ## Quick installation and local setup
 
 1. `gh repo clone security-alliance/frameworks`
 2. `git checkout develop`
-3. `cargo install mdbook mdbook-admonish mdbook-catppuccin`
+3. `cargo install mdbook mdbook-admonish`
 4. `./serve.sh`
 
 ## Collaboration
 
-There are currently two ways to collaborate. The first one is by logging from your Vercel account
-and commenting directly on the deployed version of the book, and the second one is by forking the
-repository and creating a pull request.
+There are currently several ways to collaborate:
+
+1. Using the "Suggest an edit" button on any page to make quick edits
+2. Contributing to a specific framework through its dedicated branch
+3. Forking the repository and creating a pull request to the develop branch
+4. Commenting directly on the deployed version
+
+> ⚠️ Please sign and verify every commit.
+
+### Framework-specific branches
+
+Before contributing, check if there's a [Steward](src/contribute/stewards.md) for the specific framework you're interested in, and reach out. We usually have separate branches pre-develop for frameworks with stewards. 
+
+The naming convention is `fw_framework_name`, for example `fw_opsec`, `fw_community_mgmt`. Ideally, you'll fork these framework-specific branches, as they typically have more updated information than what's available in the develop branch.
+
+After making your changes:
+1. Submit a PR to the framework-specific branch and let the steward know
+2. After reviews, a PR can be submitted from the framework branch to the develop branch
+
+If there's no specific branch created, that framework is still "headless," which means you can become its steward! See more in the [Stewards](src/contribute/stewards.md) section.
 
 ### Comments
 
@@ -33,25 +43,35 @@ To comment on the live version of the book under development, you will need to l
 1. Fork the repository. Click on the "Fork" button at the top right corner of the page.
 2. Clone the forked repository to your local machine. Open your terminal or command prompt.
 `git clone https://github.com/your-username/frameworks.git`
-3. Make sure you're in the develop branch first.
+3. Check if there's a framework-specific branch you should be working on. If yes, use that branch instead of develop.
+4. Otherwise, make sure you're in the develop branch:
 `git checkout develop`
-4. Inside the folder create a new branch based on `develop`.
-`git checkout -b develop`
-5. Make your changes.
-6. Make sure your changes don't break anything by testing it in the local setup (see above).
-`./serve.sh`.
-7. Commit your changes.
+5. Inside the folder create a new branch based on the appropriate branch:
+`git checkout -b your-feature-branch`
+6. Make your changes.
+7. If adding new pages, consider adding appropriate tags in the frontmatter. Example:
+```
+---
+tags:
+  - Engineer/Developer
+  - Security Specialist
+  - Devops
+  - SRE
+---
+```
+8. If adding significant content, add attribution using the contributors system (see [using-contributors.md](src/config/using-contributors.md)).
+9. Make sure your changes don't break anything by testing it in the local setup:
+`./serve.sh`
+10. Commit your changes:
 `git add .`
-8. Commit the changes with a descriptive message:
-`git commit -m "Fixing typos and improving readability on XXX section"`
-9. Push the changes to your forked repository.
-`git push origin develop`
-10. Create a pull request. Go to your forked repository on GitHub. You should see a "Compare & pull
-   request" button. Click on it. Provide a descriptive title and description for your pull request.
-11. Click on the "Create pull request" button.
-12. Wait for review. Once your pull request is approved, and no more changes are needed, we will
-    merge it into the main repository.
-13. Congratulations! Your changes are now part of the security frameworks!
+11. Commit the changes with a descriptive message:
+`git commit -S -m "Fixing typos and improving readability on XXX section"`
+12. Push the changes to your forked repository:
+`git push origin your-feature-branch`
+13. Create a pull request. Go to your forked repository on GitHub. You should see a "Compare & pull request" button. Click on it. Provide a descriptive title and description for your pull request.
+14. Click on the "Create pull request" button.
+15. Wait for review. Once your pull request is approved, and no more changes are needed, we will merge it into the appropriate branch.
+16. Congratulations! Your changes are now part of the security frameworks!
 
 ## Editor area
 
@@ -62,5 +82,4 @@ Editors merge PRs and push suggestions to the main branch which will be reflecte
 3. `git merge origin/develop`
 4. Manually merge files, solve conflicts and add a description.
 
-- Using the `serve.sh` script instead of mdBook `serve` command is needed to be able to see properly
-  the local deployment.
+- Using the `serve.sh` script instead of mdBook `serve` command is needed to be able to see properly the local deployment.

book.toml

@@ -16,9 +16,6 @@ use-default-preprocessors = true
 command = "mdbook-admonish"
 assets_version = "3.0.2" # do not edit: managed by `mdbook-admonish install`
 
-[preprocessor.catppuccin]
-assets_version = "2.1.0" # DO NOT EDIT: Managed by `mdbook-catppuccin install`
-
 [preprocessor.metadata]
 command = "cargo run --manifest-path=plugin/mdbook-metadata/Cargo.toml --locked"
 tag_colors = { "SEAL/Initiative" = "#4339db" }
@@ -27,8 +24,6 @@ tag_colors = { "SEAL/Initiative" = "#4339db" }
 
 [output.html]
 additional-css = [
-    "./theme/catppuccin.css",
-    "./theme/catppuccin-admonish.css",
     "./mdbook-admonish.css",
     "./theme/custom.css",
     "./theme/toc/pagetoc.css",

src/README.md

@@ -17,21 +17,32 @@
   - [Cultivating a Security-Aware Mindset](./awareness/cultivating-a-security-aware-mindset.md)
   - [Staying Informed & Continuous Learning](./awareness/staying-informed-and-continuous-learning.md)
   - [Resources & Further Reading](./awareness/resources-and-further-reading.md)
-- [Operational Security](./operational-security/README.md)
-  - [Detecting and Mitigating Insider Threats](./operational-security/detecting-and-mitigating-insider-threats.md)
-  - [G Suite Security](./operational-security/g-suite-security.md)
-  - [Password and Secrets Management](./operational-security/password-secrets-management.md)
-  - [Physical Security](./operational-security/physical-security.md)
-  - [SIM Swapping](./operational-security/sim-swapping.md)
-  - [Standard Operating Environment](./operational-security/standard-operating-environment.md)
-  - [Telegram](./operational-security/telegram.md)
-  - [Wireless Security](./operational-security/wireless-security.md)
-- [Key Management](./key-management/README.md)
-  - [Cold vs Hot Wallet](./key-management/cold-vs-hot-wallet.md)
-  - [Custodial vs Non-Custodial](./key-management/custodial-vs-non-custodial.md)
-  - [Hardware Wallets](./key-management/hardware-wallets.md)
-  - [Signing Schemes](./key-management/signing-schemes.md)
-  - [Software Wallets](./key-management/software-wallets.md)
+- [Operational Security](./opsec/README.md)
+  - [Overview](./opsec/overview/README.md)  
+    - [Security Fundamentals](./opsec/overview/security-fundamentals.md)
+    - [Implementation Process](./opsec/overview/implementation-process.md)
+    - [Web3 considerations](./opsec/overview/web3-considerations.md)
+  - [Threat Modeling Overview](./opsec/threat-modeling-overview.md)
+  - [Risk Management Overview](./opsec/risk-management-overview.md)
+  - [While Traveling](./opsec/travel/README.md)
+    - [Guide](./opsec/travel/guide.md)
+    - [TL;DR](./opsec/travel/tldr.md)
+  - [Governance & Program Management]()
+  - [Control Domains]()
+  - [Lifecycle]()
+  - [Monitoring & Detection]()
+  - [Incident Response & Recovery]()
+  - [Continuous Improvement & Metrics]()
+  - [Integration & Mapping to Other Frameworks]()
+  - [Appendices]()
+- [Wallet Security](./wallet-security/README.md)
+  - [Cold vs Hot Wallet](./wallet-security/cold-vs-hot-wallet.md)
+  - [Custodial vs Non-Custodial](./wallet-security/custodial-vs-non-custodial.md)
+  - [Hardware Wallets](./wallet-security/hardware-wallets.md)
+  - [Signing Schemes](./wallet-security/signing-schemes.md)
+  - [Software Wallets](./wallet-security/software-wallets.md)
+  - [Secure Multisig Best Practices](./wallet-security/secure-multisig-best-practices.md)
+  - [Secure Multisig Signing Process](./wallet-security/secure-multisig-signing-process.md)
 - [External Security Reviews](./external-security-reviews/README.md)
   - [Expectation](./external-security-reviews/expectation.md)
   - [Preparation](./external-security-reviews/preparation.md)

src/SUMMARY.md

@@ -20,7 +20,7 @@ Here, we present essential best practices to safeguard your community. In the fo
 
 ### Strong Passwords and Two-Factor Authentication (2FA)
 
-- Use unique, complex passwords for each service and store them securely in a reputable password manager. Refer to the [**Operational Security Framework**](../operational-security/README.md) and [**Key Management Framework**](../key-management/README.md) for more information on this.
+- Use unique, complex passwords for each service and store them securely in a reputable password manager. Refer to the [**Operational Security Framework**](../operational-security/README.md) and [**Wallet Security Framework**](../wallet-security/README.md) for more information on this.
 - Secure the email account linked to your community platforms with a unique password and 2FA.
 - Always enable 2FA. Prefer hardware-based tokens (e.g., Yubikey) or mobile authenticator apps over SMS-based methods, which are vulnerable to SIM-swapping.
 - If you use an authenticator app like Authy, 1Password, or Aegis to generate time-based one-time passwords (TOTP). Ensure that the secret keys are stored encrypted and protected with robust security measures.

src/community-management/README.md

@@ -17,21 +17,32 @@
   - [Cultivating a Security-Aware Mindset](./awareness/cultivating-a-security-aware-mindset.md)
   - [Staying Informed & Continuous Learning](./awareness/staying-informed-and-continuous-learning.md)
   - [Resources & Further Reading](./awareness/resources-and-further-reading.md)
-- [Operational Security](./operational-security/README.md)
-  - [Detecting and Mitigating Insider Threats](./operational-security/detecting-and-mitigating-insider-threats.md)
-  - [G Suite Security](./operational-security/g-suite-security.md)
-  - [Password and Secrets Management](./operational-security/password-secrets-management.md)
-  - [Physical Security](./operational-security/physical-security.md)
-  - [SIM Swapping](./operational-security/sim-swapping.md)
-  - [Standard Operating Environment](./operational-security/standard-operating-environment.md)
-  - [Telegram](./operational-security/telegram.md)
-  - [Wireless Security](./operational-security/wireless-security.md)
-- [Key Management](./key-management/README.md)
-  - [Cold vs Hot Wallet](./key-management/cold-vs-hot-wallet.md)
-  - [Custodial vs Non-Custodial](./key-management/custodial-vs-non-custodial.md)
-  - [Hardware Wallets](./key-management/hardware-wallets.md)
-  - [Signing Schemes](./key-management/signing-schemes.md)
-  - [Software Wallets](./key-management/software-wallets.md)
+- [Operational Security](./opsec/README.md)
+  - [Overview](./opsec/overview/README.md)  
+    - [Security Fundamentals](./opsec/overview/security-fundamentals.md)
+    - [Implementation Process](./opsec/overview/implementation-process.md)
+    - [Web3 considerations](./opsec/overview/web3-considerations.md)
+  - [Threat Modeling Overview](./opsec/threat-modeling-overview.md)
+  - [Risk Management Overview](./opsec/risk-management-overview.md)
+  - [While Traveling](./opsec/travel/README.md)
+    - [Guide](./opsec/travel/guide.md)
+    - [TL;DR](./opsec/travel/tldr.md)
+  - [Governance & Program Management]()
+  - [Control Domains]()
+  - [Lifecycle]()
+  - [Monitoring & Detection]()
+  - [Incident Response & Recovery]()
+  - [Continuous Improvement & Metrics]()
+  - [Integration & Mapping to Other Frameworks]()
+  - [Appendices]()
+- [Wallet Security](./wallet-security/README.md)
+  - [Cold vs Hot Wallet](./wallet-security/cold-vs-hot-wallet.md)
+  - [Custodial vs Non-Custodial](./wallet-security/custodial-vs-non-custodial.md)
+  - [Hardware Wallets](./wallet-security/hardware-wallets.md)
+  - [Signing Schemes](./wallet-security/signing-schemes.md)
+  - [Software Wallets](./wallet-security/software-wallets.md)
+  - [Secure Multisig Best Practices](./wallet-security/secure-multisig-best-practices.md)
+  - [Secure Multisig Signing Process](./wallet-security/secure-multisig-signing-process.md)
 - [External Security Reviews](./external-security-reviews/README.md)
   - [Expectation](./external-security-reviews/expectation.md)
   - [Preparation](./external-security-reviews/preparation.md)