From 0f0a534f2558e0279acd9d95efdae8fd777d364b Mon Sep 17 00:00:00 2001
From: Draco Lunaris <331325+Draco-Lunaris@users.noreply.github.com>
Date: Sun, 31 May 2026 00:12:14 -0500
Subject: [PATCH] docs: add CONTRIBUTING.md and SECURITY.md for open source

---
 CONTRIBUTING.md | 94 +++++++++++++++++++++++++++++++++++++++++++++++++
 SECURITY.md     | 46 ++++++++++++++++++++++++
 2 files changed, 140 insertions(+)
 create mode 100644 CONTRIBUTING.md
 create mode 100644 SECURITY.md

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
new file mode 100644
index 0000000..4abfa98
--- /dev/null
+++ b/CONTRIBUTING.md
@@ -0,0 +1,94 @@
+# Contributing to Linux-Patch-Manager
+
+Thank you for your interest in contributing to Linux-Patch-Manager! We appreciate every contribution — from bug reports and documentation improvements to new features and security fixes.
+
+## Code of Conduct
+
+This project follows the [Contributor Covenant v2.1](https://www.contributor-covenant.org/version/2/1/code_of_conduct/) code of conduct. By participating, you are expected to uphold this standard. Please report unacceptable behavior to the maintainers.
+
+## How to Contribute
+
+1. **Fork** the repository
+2. Create a **feature branch** from `main`:
+   ```bash
+   git checkout -b feat/my-feature
+   ```
+3. Make your changes
+4. Ensure all CI checks pass:
+   ```bash
+   # Rust backend
+   cargo fmt --check
+   cargo clippy -- -D warnings
+   cargo test
+
+   # TypeScript/React frontend
+   cd frontend
+   npm run lint
+   npm run build
+   npm test
+   ```
+5. **Commit** using conventional commit format (see below)
+6. Open a **Pull Request** against `main`
+
+## Development Setup
+
+### Prerequisites
+
+- **Rust toolchain** (stable) — [rustup](https://rustup.rs/)
+- **Node.js** 20+ (for the frontend) — [nvm](https://github.com/nvm-sh/nvm) recommended
+- **System dependencies**:
+  ```bash
+  sudo apt-get install build-essential libsystemd-dev pkg-config libssl-dev
+  ```
+
+### Build & Run
+
+```bash
+# Backend
+cargo build
+cargo test
+
+# Frontend
+cd frontend
+npm install
+npm run build
+npm test
+```
+
+## Commit Messages
+
+We use [Conventional Commits](https://www.conventionalcommits.org/):
+
+| Prefix   | Usage                  |
+|----------|------------------------|
+| `feat:`  | New feature            |
+| `fix:`   | Bug fix                |
+| `docs:`  | Documentation changes  |
+| `chore:` | Maintenance tasks      |
+| `refactor:` | Code refactoring    |
+| `test:`  | Adding or updating tests |
+| `ci:`    | CI configuration changes |
+
+Example:
+```
+feat: add patch scheduling to manager dashboard
+```
+
+## Pull Request Requirements
+
+- All CI checks must pass (fmt, clippy, test, audit, build)
+- One feature or fix per PR — keep changes focused
+- Include a clear description of what changed and why
+- Update documentation if your change affects behavior
+
+## Reporting Issues
+
+Use [GitHub Issues](https://github.com/Draco-Lunaris/Linux-Patch-Manager/issues) to report bugs, request features, or ask questions. Please include:
+
+- Steps to reproduce (for bugs)
+- Expected vs. actual behavior
+- Relevant logs or error messages
+
+## License
+
+By contributing, you agree that your contributions are licensed under the [Apache License 2.0](LICENSE), the same license as this project.
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..52106ad
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,46 @@
+# Security Policy
+
+## Supported Versions
+
+Only the **latest release** is currently supported with security updates.
+
+| Version | Supported |
+|---------|----------|
+| Latest  | ✅       |
+| Older   | ❌       |
+
+## Reporting a Vulnerability
+
+**Do not report security vulnerabilities through public GitHub Issues.**
+
+Instead, use GitHub's private vulnerability reporting:
+
+👉 [Report a vulnerability for Linux-Patch-Manager](https://github.com/Draco-Lunaris/Linux-Patch-Manager/security/advisories/new)
+
+This allows us to coordinate a fix before public disclosure.
+
+### Response Timeline
+
+- **Acknowledgment** within 48 hours
+- **Initial assessment** within 7 days
+- **Ongoing updates** on remediation progress
+
+## Disclosure Policy
+
+We follow **coordinated disclosure**:
+
+- We ask for **90 days** before public disclosure of a vulnerability
+- Security advisories are published via [GitHub Security Advisories](https://github.com/Draco-Lunaris/Linux-Patch-Manager/security/advisories)
+- We will work with you to determine an appropriate disclosure timeline when a fix requires more time
+
+## Security Best Practices
+
+This project is a security tool — we hold ourselves to a high standard:
+
+- **Signed commits**: All commits must be signed (SSH signing)
+- **CI enforcement**: All PRs require passing CI checks (fmt, clippy, test, audit, build)
+- **Dependency auditing**: `cargo audit` runs in CI to catch known vulnerabilities
+
+## Credit
+
+Contributors who responsibly report vulnerabilities will be credited in the corresponding GitHub Security Advisory.