From de76078dad2a20073b741be282e23e488fc4bbc3 Mon Sep 17 00:00:00 2001
From: Evan Anderson <evan.k.anderson@gmail.com>
Date: Fri, 11 Jul 2025 11:36:34 -0700
Subject: [PATCH] Add DO-01.02 disclaimer requirement

Signed-off-by: Evan Anderson <evan.k.anderson@gmail.com>
---
 .gitignore            |  1 +
 CONTRIBUTING.md       |  9 ++++++---
 baseline/OSPS-DO.yaml | 14 ++++++++++++++
 3 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/.gitignore b/.gitignore
index bcd2795..2565eb2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,5 @@
 docs/versions/devel.md
+docs/versions/devel-checklist.md
 .DS_Store
 
 # generated output from go run ./... compile
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 401e3aa..0df0dd4 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -2,14 +2,17 @@
 
 ## Contributing to the Controls:
 
-Currently, all the baseline controls are in `baseline.yaml`; follow the structure
-[in the README](./README.md#baseline-structure) when proposing new entries.
+Currently, all the baseline controls are in [`baseline/OSPS-$FAMILY.yaml`](./baseline/);
+follow the structure [in the README](./README.md#baseline-structure) when proposing
+new entries.
 
 ## Contributing to the Tooling:
 
 The baseline is published to https://baseline.openssf.org/ (via GitHub Pages) via
 Jekyll (a static site generator) using scripts from `./cmd` and formatting from
-`./docs`, using GitHub Actions.
+`./docs`, using [GitHub Actions](./.github/workflows/web-publish.yml).  Changes
+to the baseline will be published to the `devel` version until a new version is
+[explicitly published](./docs/maintenance.md#osps-baseline-maintenance-process).
 
 ## PR guidelines
 
diff --git a/baseline/OSPS-DO.yaml b/baseline/OSPS-DO.yaml
index 6155617..b2425ef 100644
--- a/baseline/OSPS-DO.yaml
+++ b/baseline/OSPS-DO.yaml
@@ -75,6 +75,20 @@ controls:
           project, explaining how to install, configure, and use the project's
           features. If there are any known dangerous or destructive actions
           available, include highly-visible warnings.
+      - id: OSPS-DO-01.02
+        text: |
+          If the project is designed only for use in non-sensitive contexts, the
+          project MUST indicate these restrictions in prominently alongside
+          usage instructions.
+        applicability:
+          - Maturity Level 2
+          - Maturity Level 3
+        recommendation: |
+          Some projects may not be designed or intended for use in
+          security-sensitive contexts (for example, when dealing with untrusted
+          inputs or privacy-sensitive data).  To prevent accidental misuse,
+          a prominent disclaimer should be included alongside usage
+          documentation.
 
   - id: OSPS-DO-02
     title: |