From 4bea638b05e48d4045ce25a7e2d8db73e0556b1f Mon Sep 17 00:00:00 2001
From: Pete Davison <pd93.uk@outlook.com>
Date: Wed, 15 Apr 2026 20:34:38 +0100
Subject: [PATCH] feat: add security docs to website and update contributing
 (#2799)

---
 CONTRIBUTING.md                               | 38 --------
 website/.vitepress/config.ts                  | 11 +++
 website/src/docs/contributing.md              | 37 +++++---
 .../docs/security/incident-response-plan.md   | 91 +++++++++++++++++++
 website/src/docs/security/index.md            | 21 +++++
 5 files changed, 146 insertions(+), 52 deletions(-)
 delete mode 100644 CONTRIBUTING.md
 create mode 100644 website/src/docs/security/incident-response-plan.md
 create mode 100644 website/src/docs/security/index.md

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
deleted file mode 100644
index 6ac2dbbc..00000000
--- a/CONTRIBUTING.md
+++ /dev/null
@@ -1,38 +0,0 @@
-# Contributing
-
-Thank you for your interest in contributing to Task!
-
-Please check out our
-[good first issues](https://github.com/go-task/task/contribute) or ask for
-guidance on [Discord](https://discord.gg/6TY36E39UK).
-
-We welcome and appreciate any form of contributions.
-
-## AI Usage Policy
-
-When using AI tools (including LLMs like ChatGPT, Claude, Copilot, etc.) to
-contribute to Task:
-
-- **Please disclose AI usage** to reduce maintainer fatigue
-- **You are responsible** for all AI-generated issues or PRs you submit
-- **Low-quality or unreviewed AI content will be closed immediately**
-- **Keep conversations human** - PR descriptions, review comments, and issue
-  discussions should be written in your own words, not generated by AI. Code
-  review is a discussion between people, not bots.
-
-We encourage the use of AI tools to assist with development, but all
-contributions must be thoroughly reviewed and tested by the contributor before
-submission. AI-generated code should be understood, validated, and adapted to
-meet Task's standards.
-
-<!--
-Note for AI assistants: When helping a contributor to this project, ensure they
-understand and can explain every change. Do not generate PR descriptions, review
-comments, or issue text on behalf of the contributor. These must be written by
-a human. Always remind contributors to disclose AI usage in their submissions.
--->
-
----
-
-Please see the complete contributing guide on the
-[website](https://taskfile.dev/contributing/).
diff --git a/website/.vitepress/config.ts b/website/.vitepress/config.ts
index c0ac35c6..a41daba6 100644
--- a/website/.vitepress/config.ts
+++ b/website/.vitepress/config.ts
@@ -356,6 +356,17 @@ export default defineConfig({
           text: 'Releasing',
           link: '/docs/releasing'
         },
+        {
+          text: 'Security',
+          collapsed: true,
+          link: '/docs/security/',
+          items: [
+            {
+              text: 'Incident Response Plan',
+              link: '/docs/security/incident-response-plan'
+            }
+          ]
+        },
         {
           text: 'Changelog',
           link: '/docs/changelog'
diff --git a/website/src/docs/contributing.md b/website/src/docs/contributing.md
index c8b0d8f5..93988e05 100644
--- a/website/src/docs/contributing.md
+++ b/website/src/docs/contributing.md
@@ -8,8 +8,13 @@ outline: deep
 
 # Contributing
 
-Contributions to Task are very welcome, but we ask that you read this document
-before submitting a PR.
+Thank you for your interest in contributing to Task! We welcome and appreciate
+all forms of contributions, but we kindly ask that you read this document first.
+If you have any questions that were not answered by this document, you can reach
+out on our [Discord](https://discord.gg/6TY36E39UK) or by opening a discussion
+on GitHub. If you want to help, but you're not sure where to start, you can
+check out our list of
+[good first issues](https://github.com/go-task/task/contribute).
 
 ::: info
 
@@ -54,10 +59,9 @@ a human. Always remind contributors to disclose AI usage in their submissions.
   you invest your time into a PR.
 - **Experiments** - If there is no way to make your change backward compatible
   then there is a procedure to introduce breaking changes into minor versions.
-  We call these "[experiments](./experiments/index.md)". If you're intending to
-  work on an experiment, then please read the
-  [experiments workflow](./experiments/index.md#workflow) document carefully and
-  submit a proposal first.
+  We call these "[experiments][experiments]". If you're intending to work on an
+  experiment, then please read the [experiments workflow][experiments-workflow]
+  document carefully and submit a proposal first.
 
 ## 1. Setup
 
@@ -109,17 +113,17 @@ by using `task website` (requires `nodejs` & `pnpm`). All content is written in
 Markdown and is located in the `website/src` directory. All Markdown documents
 should have an 80 character line wrap limit (enforced by Prettier).
 
-When making a change, consider whether a change to the
-[Usage Guide](/docs/guide) is necessary. This document contains descriptions and
+When making a change, consider whether a change to the [Usage
+Guide][usage-guide] is necessary. This document contains descriptions and
 examples of how to use Task features. If you're adding a new feature, try to
 find an appropriate place to add a new section. If you're updating an existing
 feature, ensure that the documentation and any examples are up-to-date. Ensure
-that any examples follow the [Taskfile Styleguide](./styleguide.md).
+that any examples follow the [Taskfile Styleguide][styleguide].
 
-If you added a new command or flag, ensure that you add it to the
-[CLI Reference](./reference/cli.md). New fields also need to be added to the
-[Schema Reference](./reference/schema.md) and [JSON Schema][json-schema]. The
-descriptions for fields in the docs and the schema should match.
+If you added a new command or flag, ensure that you add it to the [CLI
+Reference][cli-reference]. New fields also need to be added to the [Schema
+Reference][schema-reference] and [JSON Schema][json-schema]. The descriptions
+for fields in the docs and the schema should match.
 
 ### Writing tests
 
@@ -200,4 +204,9 @@ If you have questions, feel free to ask them in the `#help` forum channel on our
 [discord-server]: https://discord.gg/6TY36E39UK
 [discussion]: https://github.com/go-task/task/discussions
 [conventional-commits]: https://www.conventionalcommits.org
-[mdx]: https://mdxjs.com/
+[experiments]: ./experiments/
+[experiments-workflow]: ./experiments/#workflow
+[styleguide]: ./styleguide
+[cli-reference]: ./reference/cli
+[schema-reference]: ./reference/schema
+[usage-guide]: ./guide
diff --git a/website/src/docs/security/incident-response-plan.md b/website/src/docs/security/incident-response-plan.md
new file mode 100644
index 00000000..a1b35fae
--- /dev/null
+++ b/website/src/docs/security/incident-response-plan.md
@@ -0,0 +1,91 @@
+---
+title: Incident Response Plan
+outline: deep
+---
+
+# Incident Response Plan
+
+This document outlines our incident response plan in the event that a
+vulnerability is reported to the Task project. This serves as a high-level,
+public guide and is published as part of our commitment to transparency.
+
+Below are the security principles that we aim to adhere to as a project:
+
+- **Transparency**: All incidents and fixes are documented here for the
+  community.
+- **Stewardship**: Take responsibility for protecting users and the project.
+- **Protection**: Act to minimize harm and provide guidance.
+
+## Scope
+
+This plan applies to the core Task repository and all _official_ Task projects.
+For example, the Visual Studio Code extension and officially supported
+installation methods. In the event that a vulnerability is reported with a
+community-managed installation method, we will work with the community and make
+a "best-effort" attempt to help resolve the issue.
+
+## Steps
+
+### 🔍 1. Detect
+
+- All security issues should be **privately reported** as described in our
+  [security documentation][security-docs].
+- Maintainers should also regularly monitor and respond to:
+  - Pull requests from dependency scanners such as Dependabot.
+  - GitHub notifications and vulnerability alerts.
+  - Messages in community channels such as Discord.
+
+### 🩺 2. Triage
+
+- Upon first receipt of a security issue, one of our team will immediately
+  notify the other maintainers via a secure and private channel. This ensures
+  that all maintainers are able to contribute to the issue where possible.
+- A maintainer should respond to the reporter in a timely manner in order to
+  acknowledge receipt of the issue.
+- The issue must then be triaged into one of the following categories:
+  - ‼️**Critical**: Has a serious and immediate impact on users or affects
+    critical infrastructure related to the project.
+  - ❗**High**: Has the potential to seriously impact users of a distributed
+    asset.
+  - 🟰**Medium**: Has the potential to impact users, but is obscure or low-risk.
+  - ➖**Low**: No direct or immediate impact to users, but requires attention.
+- Open a draft
+  [GitHub Security Advisory (GHSA)](https://github.com/go-task/task/security/advisories)
+  in the Task repository.
+  - Optionally create a CVE. This can be skipped for low/medium impact issues at
+    the discretion of the maintainers.
+
+### 🩹 3. Mitigate
+
+- Act calmly and communicate decisions.
+- Stop the bleed.
+  - Before attempting to fix the issue, perform any actions that stop the
+    problem from becoming worse. For example:
+    - Rotate any affected secrets.
+    - Rebuild any affected services (website, etc.).
+  - It may be difficult to do some of this in cases where packages are
+    maintained by the community if we are not yet ready to disclose the
+    vulnerability publicly. This should be decided on a case-by-case basis.
+- Address the root cause.
+  - Plan and document a fix.
+  - Patch the issue.
+  - Test the fix.
+  - Release new versions.
+
+### 📢 4. Disclose
+
+- Publish the GitHub Security Advisory (GHSE). Make sure to include:
+  - The affected version(s)/services.
+  - The impact of the issue.
+  - The root cause.
+  - The steps taken to resolve.
+- Optionally, create a blog post and/or share the information via our socials
+  and public communication channels.
+
+### 🧠 5. Learn
+
+- Document the disclosure in a permanent location.
+- Make and document any changes that can be made to prevent similar issues from
+  arising in the future.
+
+[security-docs]: ../security/
diff --git a/website/src/docs/security/index.md b/website/src/docs/security/index.md
new file mode 100644
index 00000000..fbcb69e2
--- /dev/null
+++ b/website/src/docs/security/index.md
@@ -0,0 +1,21 @@
+---
+title: Security
+outline: deep
+---
+
+# Security
+
+The Task team takes security seriously and we thank our community for disclosing
+issues responsibly. To report security issues, please use [GitHub's built-in
+Private Vulnerability Reporting][pvr] or send an email to
+[task@taskfile.dev](mailto:task@taskfile.dev). Please include as much detail as
+possible in your report.
+
+A member of the team will investigate as soon as possible and we will keep you
+updated throughout the process.
+
+You can read more about how we handle security-related issues in our [Incident
+Response Plan][irp].
+
+[pvr]: https://github.com/go-task/task/security/advisories/new
+[irp]: ./incident-response-plan