Vulnerability disclosure and CLA documents

I think my package Robot Raconteur is ready for ROS Quality Category 2 but I am not sure what documents to use for 2.ii CLA and 7.i Vulnerability Disclosure. Wason Technology is a micro business so we don’t have a legal department for these issues, and stock documents are probably fine. The project is licensed under Apache 2.0. What documents have other projects used?

The package repository is here: GitHub - robotraconteur/robotraconteur: A communication framework for robotics and the Internet of Things, developed by Wason Technology, LLC

The tracking issue for Quality 2: Add ROS Quality Category 2 Declaration by johnwason · Pull Request #120 · robotraconteur/robotraconteur · GitHub

After looking around, this blog post from GitHub suggests using the text from the GitHub Security Lab’s disclosure policy:

If the Github Security Lab’s disclosure policy resonates with you, feel free to copy it and use it for your own disclosures.

Here is the text from their security policy:

This text seems fine to me, so I guess I will use it unless there are other suggestions.

ROS 2 Common Packages are covered by the REP-2006: ROS 2 Vulnerability Disclosure Policy.
It may be a source of inspiration as well.

I have decided to follow Canoncial’s lead and use the Harmony CLA ( My contributors page can be found here: Wason Technology, LLC - Contributors . The Canoncial contributors page can be found here for reference: Contributor licence agreement | Ubuntu

If anyone is curious here is my completed quality statement:

The quality declaration will be included in the 1.0 release which should happen fairly soon.