Update governance: List of maintainers, new roles, security clarifications

embik · embik · commit ad70a0d12c3e · 2025-08-01T10:10:07.000+02:00
Signed-off-by: Marvin Beckers &lt;marvin@kubermatic.com&gt;
diff --git a/GOVERNANCE.md b/GOVERNANCE.md
@@ -70,7 +70,7 @@ is the governing body for the project.
 a Maintainer or Owner, then this section should instead be a reference to that
 documentation -->
 
-To become a Maintainer you need to demonstrate the following:
+To become a [Maintainer](./MAINTAINERS.md) you need to demonstrate the following:
 
   * commitment to the project:
     * participate in discussions, contributions, code and documentation reviews
@@ -119,10 +119,8 @@ and can be rapidly returned to Maintainer status if their availability changes.
 
 Time zones permitting, Maintainers are expected to participate in the public
 community call meeting. Maintainers will also have closed meetings in order to
-discuss security reports or Code of Conduct violations. Such meetings should be
-scheduled by any Maintainer on receipt of a security issue or CoC report.
-All current Maintainers must be invited to such closed meetings, except for any
-Maintainer who is accused of a CoC violation.
+discuss security reports. Such meetings should be scheduled by any Maintainer on
+receipt of a security issue. All current Maintainers must be invited to such closed meetings.
 
 ## Code of Conduct
 
@@ -146,19 +144,52 @@ at least once a year.
 The Security Response Team is responsible for handling all reports of security
 holes and breaches according to the [security policy](./SECURITY.md).
 
+The members of the Security Response Team are documented in [MAINTAINERS.md](./MAINTAINERS.md).
+
 ## Voting
 
 While most business in kcp is conducted by "lazy consensus", periodically
 the Maintainers may need to vote on specific actions or changes.
 A vote can be taken on [the developer mailing list](https://groups.google.com/g/kcp-dev) or
 [the private Maintainer mailing list](https://groups.google.com/g/kcp-dev-private)
-for security or conduct matters.  Votes may also be taken at the community call
+for security issues.  Votes may also be taken at the community call
 meeting. Any Maintainer may demand a vote be taken.
 
 Most votes require a simple majority of all Maintainers to succeed. Maintainers
 can be removed by a 2/3 majority vote of all Maintainers, and changes to this
 Governance require a 2/3 vote of all Maintainers.
 
+Pull requests that make changes requiring Maintainer consensus may also be
+understood as a vote. They require the stated majority to be granted via
+LGTMs on the pull request. Such a pull request shall be announced to the developer
+mailing list and put on hold until the necessary majority has been reached.
+
+## Subprojects
+
+Any Maintainer may submit a [vote](#voting) to create a new subproject under the
+kcp-dev GitHub organization. Subprojects are governed by all Maintainers, but may
+take on additional Subproject Maintainers that are only responsible for the 
+specific subproject.
+
+It is the combined responsibility of Maintainers and Subproject Maintainers
+to review contributions to subprojects and make project goal decisions.
+Subproject Maintainers are not part of the private Maintainer mailing list and
+are involved in security responses on a need-to-know basis if the reported security
+issue concerns their respective subproject.
+
+Subproject Maintainers are elected by the Maintainers. Subproject Maintainers are
+allowed to participate in votes concerning their respective subprojects.
+
+## Approvers
+
+The Maintainers and Subproject Maintainers may elect trusted contributors to
+assist them in the review process for specific parts of the code. Those Approvers
+are allowed to approve and merge code contributions for certain subsets of the code
+(not a whole project), e.g. areas of the code that they have proven themselves
+to be very familiar with.
+
+Approvers do not have voting rights.
+
 ## Modifying this Charter
 
 Changes to this Governance and its supporting documents may be approved by a
diff --git a/MAINTAINERS.md b/MAINTAINERS.md
@@ -0,0 +1,25 @@
+# Maintainers
+
+The table below lists all current maintainers for the kcp project as defined by our [project governance](./GOVERNANCE.md).
+
+| Name                  | GitHub Handle                                    | Domains of reponsibility                                       | Affiliation                 |
+| --------------------- | ------------------------------------------------ | -------------------------------------------------------------- | --------------------------- |
+| Andy Anderson         | [@clubanderson](https://github.com/clubanderson) | Governance                                                     | IBM                         |
+| Sebastian Scheele     | [@scheeles](https://github.com/scheeles)         | Governance                                                     | Kubermatic                  |
+| Dr. Stefan Schimanski | [@sttts](https://github.com/sttts)               | Governance, kcp core                                           | NVIDIA                      |
+| Christoph Mewes       | [@xrstf](https://github.com/xrstf)               | kcp core, API Syncagent kcp-operator, infrastructure           | Kubermatic                  |
+| Mangirdas Judeikis    | [@mjudeikis](https://github.com/mjudeikis)       | kcp core                                                       | Upbound                     |
+| Marvin Beckers        | [@embik](https://github.com/embik)               | kcp core, kcp-operator, multicluster-provider, infrastructure  | Kubermatic                  |
+
+## Emeritus Maintainers
+
+No emeritus maintainers currently exist. We would like to highlight that this project does have prior maintainers and core contributors
+that, if they so wished, could (and should) be granted the status of emeritus maintainers.
+
+## Security Response Team
+
+The following maintainers are members of the security response team and enact the [security process](./SECURITY.md):
+
+- Dr. Stefan Schimanski
+- Mangirdas Judeikis
+- Marvin Beckers
diff --git a/SECURITY.md b/SECURITY.md
@@ -4,12 +4,22 @@ The kcp maintainers take security for kcp very seriously, especially given kcp's
 
 ## Reporting a Vulnerability
 
-kcp uses GitHub to allow submission of private security reports. Please report any security finding via [this link](https://github.com/kcp-dev/kcp/security/advisories/new) or send a direct email to [kcp-dev-private@googlegroups.com](mailto:kcp-dev-private@googlegroups.com). Maintainers will triage your report as soon as possible and get in touch with you via your report or via email in case they have more questions.
+kcp uses GitHub to allow submission of private security reports. Please report any security finding via
+[this link](https://github.com/kcp-dev/kcp/security/advisories/new) or send a direct email to [kcp-dev-private@googlegroups.com](mailto:kcp-dev-private@googlegroups.com).
+Maintainers will triage your report as soon as possible and get in touch with you via your report or via email in case they have more questions.
 
-As a security researcher, please report vulnerabilities to kcp in a [coordinated vulnerability disclosure](https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html) fashion. In return, maintainers pledge to engage in good faith and collaborate with security researchers to address and publish vulnerabilities found in kcp as soon as possible.
+As a security researcher, please report vulnerabilities to kcp in a [coordinated vulnerability disclosure](https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html)
+fashion. In return, maintainers pledge to engage in good faith and collaborate with security researchers to address and publish vulnerabilities found in kcp as soon as possible.
 
 Please understand that the maintainers also do not accept results of dependency scanners without proof that the detected CVE / vulnerability can be used against kcp.
 
 ## Security Advisories
 
-Advisories are managed through GitHub. Public disclosure of vulnerabilities happens through GitHub and the kcp-users mailing list. Please visit [Security Advisories](https://github.com/kcp-dev/kcp/security/advisories) to review security bulletins published by the maintainers.
+Advisories are managed through GitHub. Public disclosure of vulnerabilities happens through GitHub and the kcp-users mailing list.
+Please visit [Security Advisories](https://github.com/kcp-dev/kcp/security/advisories) to review security bulletins published by the maintainers.
+
+## Security Response Committee
+
+kcp maintainers have formed a security response committee to ensure that security reports get addressed in a timely manner.
+You can find the list of members in [MAINTAINERS.md](./MAINTAINERS.md). Please do not contact them directly but follow the
+vulnerability reporting process as described abvove.
