Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
This Code of Conduct is intended to inform and guide our communications in connection with our Coordinated Vulnerability Disclosure (CVD) practice, including the VINCE platform. We believe that successful vulnerability coordination requires an open exchange of ideas. Open exchange is possible only in an inclusive environment that fosters trust, dignity, understanding, and mutual respect, and where participants recognize the inherent worth of every person and group.
Table of Contents |
---|
Expectations
- All VINCE users are expected to follow this Code of Conduct, as well as the modified SEI Terms of Use.
- All VINCE users are expected to be familiar with our Vulnerability Disclosure Policy.
- All VINCE users are expected to act and interact in ways that contribute to an open, welcoming, diverse and inclusive, community.
- We do not tolerate any form of harassing or offensive behavior.
- Any offenders who are asked to stop their inappropriate behavior must comply immediately.
- If a VINCE user engages in inappropriate behavior, the offender may be suspended from further participation in the VINCE platform.
Governing Principles
A welcoming and collegial environment can be achieved when we adopt the following principles in our day-to-day actions and interactions.
Principle | Outcomes |
Trust one another | Work better and smarter individually and together and feel better about the work we do, how we do it, where we do it, and for whom we do it. |
Respect one another | Feel valued and supported, recognized, and energized to contribute our best at work. |
Be civil | Create and sustain positive experiences that build a safe and supportive environment. |
Be inclusive | Foster a sense of belonging, of giving and receiving respect, of enhanced self-esteem, of recognition and acceptance, and of supportive energy and commitment from leaders, colleagues and others. |
Terms of Use
The use of VINCE is subject to the SEI Terms of Use, with the following modification:
The VINCE platform is intended to provide a forum for the sharing of vulnerabilities in a controlled manner. Accordingly, to the extent that the posting, upload, or transmittal of any content would normally be prohibited by the SEI Terms of Use, such prohibition shall be inapplicable to the extent that such posting, upload, or transmittal was done for the purposes of coordinated vulnerability disclosure and was made using the VINCE platform as intended.
To the extent of any conflict between this Code of Conduct and the SEI Terms of Use, this Code of Conduct shall control.
Reporting Inappropriate Behavior or Actions
Instances of inappropriate behavior may be reported to the CERT/CC using the private message to CERT/CC mechanism within VINCE. All complaints will be reviewed and investigated promptly and fairly.
Instructions for using the private message feature of VINCE are available in Communicating.
All CERT/CC analysts are obligated to respect the privacy and security of the reporter of any incident.
CERT/CC analysts have the right to remove, edit, or reject comments, issues, and other contributions that are not aligned to this Code of Conduct, and will communicate reasons for such decisions when appropriate.
Corrective actions to the violations of the VINCE Code-of-Conduct may include: private or public warnings, a temporary ban, or even a permanent ban from the system. The CERT/CC will consider these and other options to encourage a cooperative vulnerability coordination and disclosure process.
References and Other Resources
Portions of this document are adapted from
The Contributor Covenant, version 2.0, available at https://www.contributor-covenant.org/version/2/0/code_of_conduct/
- The FLOCON Code of Conduct, available at https://resources:.sei.cmu.edu/asset_files/Brochure/2015_015_001_447225.pdf
- The USENIX Event Code of Conduct https://www.usenix.org/conferences/coc
We also recommend VINCE users be familiar with and use bias-free language
- Bias-free communication guidance from Microsoft https://docs.microsoft.com/en-us/style-guide/bias-free-communication
Terminology, Power, and Inclusive Language in Internet-Drafts and RFCs, IETF draft https://tools.ietf.org/html/draft-knodel-terminology-03
Statement on Racism and Black, African-American, and African Diaspora Inclusion, USENIX https://www.usenix.org/blog/usenix-statement-racism-and-black-african-american-and-african-diaspora-inclusion
Panel | ||||||
---|---|---|---|---|---|---|
| ||||||
VINCE platform: The software service that the CERT/CC provides to enable its Coordinated Vulnerability Disclosure practice. VINCE user: Any user of the VINCE platform, including CERT/CC analysts, researchers, vendors, and other participants. CERT/CC analyst: Individuals authorized to represent the CERT/CC within the VINCE platform. |
Panel | ||||||
---|---|---|---|---|---|---|
| ||||||
|