Make contributing easy

Requirements

• The codebase MUST have a public issue tracker that accepts suggestions from anyone.
• The codebase MUST include instructions for how to privately report security issues for responsible disclosure.
• The documentation MUST link to both the public issue tracker and submitted codebase changes, for example in a README file.
• The codebase MUST have communication channels for users and developers, for example email lists.
• The documentation SHOULD include instructions for how to report potentially security sensitive issues on a closed channel.

Why this is important

• Enables users to fix problems and add features to the shared codebase leading to better, more reliable and feature rich software.
• Allows collaborative uptake of shared digital infrastructure.
• Helps users decide to use one codebase over another.

What this does not do

• Guarantee others will reuse the codebase.

How to test

• There’s a public issue tracker.
• It’s possible to participate in a discussion with other users about the software.

Policy makers: what you need to do

• Track policy issues in the codebase, so that a relevant external policy expert can volunteer help.

Management: what you need to do

• Track management issues in the codebase, so that external managers with relevant experience can volunteer help.
• Support your experienced policy makers, developers and designers to keep contributing to the codebase for as long as possible.

Developers and designers: what you need to do

• Respond promptly to requests.
• Keep your management informed of the time and resources you require to support other contributors.

Further reading

• How to inspire exceptional contributions to your open-source project
• The benefits of coding in the open by the UK Government Digital Service.
• Verdaccio’s security policy is a really nice example.