I think my package Robot Raconteur is ready for ROS Quality Category 2 but I am not sure what documents to use for 2.ii CLA and 7.i Vulnerability Disclosure. Wason Technology is a micro business so we don’t have a legal department for these issues, and stock documents are probably fine. The project is licensed under Apache 2.0. What documents have other projects used?
The package repository is here: GitHub - robotraconteur/robotraconteur: A communication framework for robotics and the Internet of Things, developed by Wason Technology, LLC
The tracking issue for Quality 2: Add ROS Quality Category 2 Declaration by johnwason · Pull Request #120 · robotraconteur/robotraconteur · GitHub
After looking around, this blog post from GitHub suggests using the text from the GitHub Security Lab’s disclosure policy:
If the Github Security Lab’s disclosure policy resonates with you, feel free to copy it and use it for your own disclosures.
GitHub's recommended 4-step process for coordinated vulnerability disclosure, with suggestions for reporters to foster a positive experience.
Est. reading time: 11 minutes
Here is the text from their security policy:
This text seems fine to me, so I guess I will use it unless there are other suggestions.
Jeremie
September 18, 2023, 11:21am
3
I have decided to follow Canoncial’s lead and use the Harmony CLA (https://www.harmonyagreements.org/ ). My contributors page can be found here: Wason Technology, LLC - Contributors . The Canoncial contributors page can be found here for reference: Contributor licence agreement | Ubuntu
If anyone is curious here is my completed quality statement: https://github.com/johnwason/robotraconteur/blob/ros_quality2/QUALITY_DECLARATION.md
The quality declaration will be included in the 1.0 release which should happen fairly soon.