Skip to content

Latest commit

 

History

History
135 lines (81 loc) · 9.4 KB

incident-process.md

File metadata and controls

135 lines (81 loc) · 9.4 KB
title weight aliases description
Code of Conduct Committee Incident Reporting and Response Process
550
/coc-process
Overview of the Code of Conduct Committee's workflow when receiving and responding to an incident report.

Incident reporting and response process

This document outlines the Code of Conduct Committee's workflow when receiving and responding to an incident report. As each report is unique, the process is described at a high level.

When and Where does the Kubernetes Code of Conduct apply?

The Code of Conduct applies between all community members when interacting about Kubernetes. This primarily addresses official spaces, but if conduct-related issues are affecting our community in unofficial spaces in ways that are likely also affect interpersonal interactions in official spaces, we may be asked to become involved.

What are the boundaries of the Kubernetes community?

There are no hard boundaries of the community, but common places we are asked to extend guidance to are:

  • Official Kubernetes communication channels
  • Kubernetes events and meetups
  • Media and web presences
  • Social media
    • In some cases, where individual social media messages are not related to Kubernetes but have been reported to the Code of Conduct Committee and are making project members feel unsafe or unwelcome, we might choose to act.

Incident Reports

What is an incident report?

An incident report is a description of an event, interaction, or public statement submitted to the Kubernetes Code of Conduct Committee, which the reporter feels violates the Kubernetes Code of Conduct.

Who can submit a report?

The Code of Conduct Committee accepts reports from everyone who interacts with the Kubernetes project community, contributor or otherwise. This includes, but is not limited to, the following:

  • Contributors and maintainers
  • Members of the Kubernetes Slack instance
  • Attendees and vendors at KubeCon/CloudNativeCon
  • CNCF Ambassadors
  • Vendors/companies/projects which use Kubernetes and need to interact with the community as a result

At times we encourage community members to email us if an incident is ongoing and we have not been contacted.

Where do private incident reports happen?

The Code of Conduct Committee's primary means of contact is our email address, conduct@kubernetes.io.

We can also be reached via Slack direct messages to individual committee members (see member list) or otherwise, though we might direct you to contact us via email.

How is the privacy of a report protected?

All incident-related discussions happen in private spaces between current Code of Conduct Committee members, and all members agree when joining the Committee to maintain the confidentiality of incidents to the extent permitted by law.

Where incidents relate to unintentionally or non-consensually publicly-visible content or messages, we may, or may request others to, delete that content to help preserve the privacy of involved parties.

Why does this process exist?

The reporting process exists to provide the community with mechanisms to keep people safe, and to ensure that poor behavior, regardless of who the initator is, is not accepted.

The Code of Conduct Committee has unilateral power to address harms as needed and appropriate to restore community safety after any incident(s). We are separate from the Steering Committee and all other bodies in the Kubernetes community to provide a mechanism by which anyone can report, regardless of roles and organizational power dynamics which often lead to systemic underreporting.

Incident report workflow

Initial triage

The Code of Conduct Committee responds to all emails in a timely manner, usually within a few days.

When an email is received, it is reviewed for severity. Based on our training, the initial member(s) to review the report and determine severity and urgency. When necessary, we may alert other members and call for an urgent meeting, but in most cases, we discuss asynchronously and develop a response plan.

We maintain a triage rotation schedule so that there are at least two people watching for incoming reports. This allows us to meet our SLA to the community.

Recusal

Before beginning investigation on an incident, members can recuse from (or refuse to pass judgement on) an incident if they feel a relationship with someone in the incident may hinder impartiality or create a perception of impropriety with respect to individuals involved in the reported incident. Some examples of reasons a Code of Conduct Committee member might recuse themselves are:

  • Direct reporting relationships, or company work relationships that would cause the investigation to appear inappropriate
  • Close working relationships in the Kubernetes community, for example co-leading a SIG with the reporter or someone else mentioned in the report

If all members of the Code of Conduct Committee felt the need to recuse themselves from an incident, the incident would be handled by our thid party mediator.

To reduce the likelihood of recusals, our election process stipulates that we may never have a majority of the Committee from a single employer.

Building a plan

The Code of Conduct Committee will privately discuss the incident report, and may or may not decide that we need more information prior to determining whether to take any action.

We consider the following at this stage:

  • Do we need clarification from the reporter beyond the initial report?
  • Do we need clarification from other individuals who may have been involved in, or witnesses to, the incident?
  • Is there a public record of the incident which we can review, such as a chat log or video recording?
  • Are there any privacy or safety considerations that we must take into account? For example, if we reach out to an individual named in the report, could this jeapordize the safety of the reporter or other individuals?

Reaching out to involved parties

It is our intention to put as little emotional labor on those who have been harmed as possible, and to protect the safety (both physical and emotional) of all community members. We labor to be supportive and non-judgemental and to make the reporting process as safe and low anxiety as possible.

In all instances these clarifying discussions are confidential.

Clarifying discussions typically take the form of email, Slack DM, or Zoom meeting 1:1 between a member of the Code of Conduct Committee selected during our triaging of an incident report and the individual from whom clarification is sought. The Code of Conduct Committee member will explicitly identify themselves and indicate they are engaging in conversation as a representative of the Code of Conduct Committee. If the individual prefers we will endeavor to make the meeting/conversation not 1:1, but rather also include an observer/scribe agreed by both parties and still with all discussion being confidential.

Incident response workflow

Reconvening the Committee

When we have more information, the Code of Conduct Committee reconvenes, shares all information gathered, and moves on to incident response.

Depending on the complexity and severity of the incident, reaching a consensus may take some time. It may require follow up conversations with affected individuals, or other inquiries.

Deciding on a Course of Action

We do not act recklessly, and in deciding on a course of action, we work as a team to include diverse perspectives, support the immediate safety needs of our community members, and support the long-term health of this community.

When deciding how to address an incident, the Code of Conduct Committee follows a trauma-informed restorative justice framework. Our decisions on a course of action are informed by the following goals:

  • Continuously working towards a community that is a safe and professional space in which individuals from any background can do their best work, authentically and free from harassment
  • Preferring non-punitive punishments when possible
  • Prioritizing the safety of individuals to support the overall health of the community
  • Prioritizing education and coaching for those involved, when possible
  • Prioritizing the protection of contributing members of the Kubernetes project over external parties. This does not mean that we protect people with a higher number of commits or more seniority in the project, however.

In general, the committee strives for unanimous consensus before taking an action.

For example, we may choose to do nothing, to issue a private warning, to offer coaching, to recommend organizational changes, or to ban someone from a community platform.

Taking Actions and Communicating our Recommendations

When we have decided on a course of action, we do the following:

  • We clearly communicate our decision to those who need to hear it, without violating the confidentiality of those who requested it during an investigative process (if one was undertaken).
  • If and only if it is needed, we work with other leadership bodies (e.g., Steering Committee and the Linux Foundation)
    • This may be necessary if the incident extends to other communities or event spaces, particularly if we feel there is elevated risk of harm to members of those communities
    • In rare cases, we might find it necessary to issue a public statement, either jointly or separately