Get a passing CII badge [cncf requirement]

[caniszczyk]

We require CNCF projects to go through this badging process: https://bestpractices.coreinfrastructure.org/en

This will involve crafting a SECURITY.md too

[bridgetkromhout]

Hi, @caniszczyk! I started working on this process for this repo (https://bestpractices.coreinfrastructure.org/projects/3801/) and I noticed that most questions seemed to apply to code, not specs. Can you let me know:

1. What should be in the SECURITY.md for a spec?
2. If there is anything I should adjust because of that?

Thanks!

[caniszczyk]

@bridgetkromhout as a spec it's tricky but you have other projects in the repo like SDKs impls etc, my advice here would be:

1. create an .github repo in the org and add the SECURITY.md and other commnity health files like a CODE OF CONDUCT etc there https://github.blog/changelog/2019-02-21-organization-wide-community-health-files/
2. in the SECURITY.md, make it applicable to the implementations and SDKs that live in the smi github org, I don't have a concrete example that maps well but you can look at OPA https://github.com/open-policy-agent/opa/blob/master/SECURITY.md

[bridgetkromhout]

@caniszczyk ah! So, the CII site wouldn't let me choose an organization (like https://github.com/servicemeshinterface), so I picked a single repo (https://github.com/servicemeshinterface/smi-spec). Should we be doing all this once for the organization, or five times (once for each repo)? One repo is the spec, one is the code for the website, and the other three are actually code.

[bridgetkromhout]

Closing due to project archival: https://www.cncf.io/blog/2023/10/03/cncf-archives-the-service-mesh-interface-smi-project/)