How participation works.
The commons is workable because the practices around it are explicit. Code of conduct, governance, and contribution norms are public and reviewed in the open.
Code of conduct
Participation in any SecOps-NG space — repositories, issue threads, RFCs, field notes — is governed by a community code of conduct. The short version: be respectful, be honest about uncertainty, assume good faith, and remember that the commons belongs to the people who maintain it.
The full text lives alongside the framework on GitHub. Reports of conduct concerns are handled by maintainers under the process documented there.
Governance
Decisions that affect the framework, the public website, or the compliance evidence commons happen in the open. Substantive changes go through an RFC; smaller changes happen through pull requests with maintainer review.
Two practices keep the commons forward-compatible with its eventual public audience:
- Forward-public hygiene. Every commit, issue, comment, and file in the framework and website repositories already passes the public-release bar — community language, no internal infrastructure detail, no credentials, no secret-shaped strings.
- Custodian review. Pull requests against the will-be-public repositories are reviewed against the language and sovereignty guardrails before merge.
Contributing
Contributions of all sizes are welcome — typo fixes, doc improvements, new cookbook workflows, compliance mappings, field notes for the blog, translations.
- Open an issue first for anything larger than a typo. One paragraph of intent is enough.
- Fork or branch, keep changes scoped, and open a pull request against
main. - Sign commits with DCO sign-off and use conventional-commit messages.
- The contribution guides at the root of each repository are the source of truth.
What does not belong in the commons
- Internal strategy, roadmaps, or commercial framing.
- Named organisations as prospects, partners, or leads.
- Credentials, internal hostnames, or anything secret-shaped.
- Personal pronouns ("I", "me", "my") in external surfaces.
When in doubt, the content goes in a private repository rather than the commons.