docs: Update policies

- Update CONTRIBUTING.md
- Update SECURITY.md

Author: zanicar

CONTRIBUTING.md

@@ -1,42 +1,143 @@
-# Contributing to `nexus`
+# Contributing to Talus Projects
 
-Thank you for considering contributing to this project!
-The following guidelines help ensure a smooth process for everyone.
+Thank you for considering contributing to Talus! This document outlines our contribution process and standards across all Talus repositories.
 
-## How to Contribute
+## Getting Started
 
-1. **Fork the repository** and create your branch from `main`.
-2. **Follow the coding style** used in the project.
-3. **Write clear, concise commit messages.**
-4. **Add tests** for any new functionality.
-5. **Ensure all tests pass** before submitting a pull request.
-6. **Ensure `rustfmt` and `clippy` are happy** before submitting a pull request.
-7. **Do not use unsafe Rust code**.
-8. **Update documentation** to complement code changes
+All contributions follow our systematic development process. Please familiarize yourself with:
 
-## Reporting Issues
+- **[Discussion Guidelines](https://github.com/Talus-Network/.github/blob/main/DISCUSSIONS.md)** - How to propose and discuss ideas
+- **[Improvement Proposal Process](https://github.com/Talus-Network/.github/blob/main/IP_PROCESS.md)** - Our formal proposal and approval workflow
+- **Code of Conduct** - Standards for respectful collaboration
 
-- Use the [Issue Tracker] to report bugs or suggest enhancements.
-- Check if the issue already exists before submitting.
-- Provide steps to reproduce, expected vs. actual behavior, and relevant logs or screenshots.
+## How Ideas Become Features
 
-## Pull Request Process
+### 1. Community Discussion (GitHub Discussions)
+Start with a discussion to gauge community interest and gather initial feedback. Use our [Discussion Guidelines](link) to structure your proposal effectively.
 
-- Open a pull request with a clear description of what it does and why.
-- Link to the issue it fixes (if applicable).
-- Ensure your branch is up to date with `main`.
-- A maintainer will review and may request changes.
-- Your PR will be reviewed by maintainers and may be merged after approvals.
+### 2. Technical RFC (GitHub Discussions - Ideas)
+For ideas with community support, create a technical RFC to explore implementation approaches and feasibility.
 
-## Writing commit messages
+### 3. Improvement Proposal (GitHub Issues)
+Promising RFCs become formal Improvement Proposals following our [IP template](link). All significant changes require IP approval.
 
-- Use [Conventional Commits] specification for the commit messages
-- Use the present tense (e.g., "feat: add command on cli" not "feat: added command on cli")
-- Use imperative tone ("add command" not "adds command" or "adding command")
-- Reference a ticket if applicable.
-- Add more context and an explanation for the contribution.
+### 4. Implementation (Pull Requests)
+Approved IPs become implementation epics with specific development tasks.
 
-<!-- List of references -->
+## Development Standards
 
-[Issue Tracker]: https://github.com/Talus-Network/nexus/issues
-[Conventional Commits]: https://www.conventionalcommits.org/
+### Code Quality
+- **Follow established coding style** for the specific project language
+- **Write clear, concise commit messages** using [Conventional Commits](https://www.conventionalcommits.org/)
+- **Add comprehensive tests** for new functionality
+- **Ensure all tests pass** and code quality checks succeed
+- **Update documentation** to reflect changes
+- **No unsafe code** in Rust projects without explicit justification
+
+### Commit Message Format
+```
+type(scope): description
+
+- Use present tense ("add feature" not "added feature")
+- Use imperative mood ("fix bug" not "fixes bug")
+- Reference issues when applicable
+- Provide context for the change
+```
+
+### Pull Request Process
+1. **Link to Epic/Issue**: All PRs must reference the implementing issue/epic
+2. **Descriptive Title**: Clear summary of changes
+3. **Detailed Description**: What changed and why
+4. **Testing Evidence**: Demonstrate changes work as expected
+5. **Documentation Updates**: Include any required documentation changes
+
+## Issue Reporting
+
+### Bugs
+Use the bug report template to provide:
+- Steps to reproduce
+- Expected vs actual behavior
+- Environment details
+- Relevant logs or screenshots
+
+### Feature Requests
+Start with a Discussion rather than immediately creating feature request issues. This allows for community input and ensures alignment with project direction.
+
+### Security Issues
+**Never report security issues publicly.** Follow our [Security Policy](SECURITY.md) for responsible disclosure.
+
+## Code Review Standards
+
+### For Contributors
+- **Keep PRs focused**: One logical change per PR
+- **Respond promptly** to review feedback
+- **Test thoroughly** before requesting review
+- **Be respectful** of reviewer time and feedback
+
+### Review Process
+- Maintainers will review within 48-72 hours for active PRs
+- Address all review comments before requesting re-review
+- At least one maintainer approval required for merge
+- Automated checks must pass before merge
+
+## Community Guidelines
+
+### Communication
+- **Be respectful** and constructive in all interactions
+- **Assume positive intent** from other contributors
+- **Ask questions** when something is unclear
+- **Help others** learn and improve
+
+### Collaboration
+- **Search existing** discussions and issues before creating new ones
+- **Provide context** when referencing external information
+- **Update status** on work in progress
+- **Celebrate successes** and learn from failures
+
+## Repository-Specific Guidelines
+
+Different repositories may have additional requirements:
+
+- **Rust projects**: Use `rustfmt` and address `clippy` warnings
+- **Smart contracts**: Follow Sui Move best practices and security guidelines
+- **Documentation**: Use clear, accessible language with examples
+- **Frontend**: Follow accessibility standards and responsive design principles
+
+Check individual repository README files for specific requirements.
+
+## License and CLA
+
+### Contributor License Agreement
+All contributors must sign our Contributor License Agreement (CLA) before contributions can be merged. The CLA assistant will guide you through this process on your first PR.
+
+### Licensing
+- Most repositories use **Business Source License 1.1** by default
+- Open source projects use **Apache License 2.0**
+- Check individual repository LICENSE files for specific terms
+
+## Getting Help
+
+### Community Support
+- **GitHub Discussions**: General questions and community support
+- **Discord/Telegram**: Real-time community chat (links in project README)
+- **Documentation**: Comprehensive guides at [docs.talus.network](https://docs.talus.network)
+
+### Developer Support
+- **Technical Questions**: Start with GitHub Discussions
+- **Process Questions**: Reference this guide or ask in discussions
+- **Urgent Issues**: Follow our incident response procedures
+
+## Recognition
+
+We value all contributions and recognize contributors through:
+- Commit attribution and co-authorship
+- Contributor acknowledgments in release notes
+- Community recognition in discussions and social media
+
+Thank you for contributing to the Talus ecosystem! Your efforts help build the future of decentralized autonomous systems.
+
+---
+
+**Last updated**: 2025-09-22
+
+*This document is maintained by the Talus team and updated as our processes evolve. For questions or suggestions about these guidelines, please open a discussion.*

SECURITY.md

@@ -1,86 +1,144 @@
 # Talus Labs Security Policy
 
-This document describes the Talus Labs Security team's process for handling security issues.
+This document describes the Talus Labs security team's process for handling security issues across all Talus repositories and services.
 
 ## Reporting Security Issues
 
-__IMPORTANT:__ _Please DO NOT open public issues for security related matters, or discuss it in public forum or on social media._
+**IMPORTANT:** Please DO NOT open public issues for security-related matters or discuss them in public forums or on social media.
 
-### Email
+### Primary Reporting Methods
 
-All security issues should be reported via email to [security-reports@taluslabs.xyz](mailto:security-reports@taluslabs.xyz). Email is delivered to the Talus Labs security team.
+#### Email (Recommended)
+Report security issues to: **[security-reports@taluslabs.xyz](mailto:security-reports@taluslabs.xyz)**
 
-Include the following details in the report:
+Include these details in your report:
+- **Your information**: Name and affiliation (if applicable)
+- **Technical description**: Detailed issue explanation with reproduction steps
+- **Impact assessment**: Who can exploit this and what the implications may be
+- **Visibility status**: Whether this vulnerability is public or known to third parties
+- **Supporting evidence**: Relevant logs, screenshots, or proof-of-concept (if safe to share)
 
-- Your name;
-- Your affiliation (if applicable);
-- Technical description of the issue, including steps to reproduce;
-- Explanation of who may be able to exploit this vulnerability and what the impact or implications may be;
-- Whether this vulnerability is public or known to third parties. Please provide details where applicable;
+#### GitHub Private Vulnerability Reporting
+For repository-specific issues, use GitHub's private vulnerability reporting:
+1. Navigate to the repository's "Security" tab
+2. Click "Report a vulnerability" under Security Advisories
+3. Complete the form with detailed information
 
-_Please notify the Talus Labs security team at the email above of existing public issues that may be of critical security importance._ Please ensure to include the issue ID along with a short description / explanation of the security relevance.
+See [GitHub's documentation](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability) for more information.
 
-### GitHub Private Vulnerability Reporting
+### Encrypted Communication
 
-Under the repository "Security" tab / Security Advisories you will find "Report a vulnerability". Please complete the provided form with as much details as possible.
+For sensitive reports, use our PGP public key:
+- **Download**: [https://talus.network/security-pgp-key.txt](https://talus.network/security-pgp-key.txt)
+- **Key Server**: [keys.openpgp.org](https://keys.openpgp.org)
+- **Fingerprint**: `103391C9AE4BE87A85E3EFAE2D4462A29BAB94AE`
 
-For more information on GitHub private vulnerability reporting [see this](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability).
+**Always verify the fingerprint before using the key.**
 
-_Best practices for writing repository security advisories_ can be found [here](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/best-practices-for-writing-repository-security-advisories).
+## Our Response Process
 
-Security researchers can also use the REST API to privately report security vulnerabilities. For more information, see "[Privately report a security vulnerability](https://docs.github.com/en/rest/security-advisories/repository-advisories#privately-report-a-security-vulnerability)" in the REST API documentation.
+The Talus Labs security team will:
 
-### Encrypted Communication
+1. **Acknowledge receipt** within 72 hours
+2. **Verify and assess** the reported vulnerability
+3. **Determine scope** including affected versions and impact assessment
+4. **Audit for similar issues** to prevent related vulnerabilities
+5. **Develop fixes** for all affected production releases
+6. **Coordinate disclosure** with ecosystem stakeholders when appropriate
+7. **Deploy fixes** following our emergency release procedures
+8. **Publish advisories** once fixes are deployed and users can update
 
-If you wish to encrypt your vulnerability report, please use our PGP public key:
+### Timeline Expectations
+- **Initial response**: Within 72 hours
+- **Severity assessment**: Within 5 business days
+- **Fix development**: Varies by complexity, communicated during assessment
+- **Public disclosure**: After fixes are available and reasonable time for adoption
 
-- **Download**: [https://talus.network/security-pgp-key.txt](https://talus.network/security-pgp-key.txt)
-- **Key Server**: [keys.openpgp.org](https://keys.openpgp.org)
-- **Fingerprint**: `103391C9AE4BE87A85E3EFAE2D4462A29BAB94AE`
+## Incident Response Integration
 
-Always verify the fingerprint before using the key.
+Security issues may trigger our [Incident Management Plan](https://www.notion.so/taluslabs/Incident-Management-Plan-25e7a61d1baa80498736f5ece8e58ece), particularly for:
+- Active exploits affecting user funds or data
+- Platform-wide vulnerabilities
+- Critical infrastructure compromises
 
-## Handling Security Issues
+In such cases, response times may be accelerated and additional coordination procedures activated.
 
-The Talus Labs security team will:
+## Researcher Guidelines
+
+Please help us handle security issues effectively by:
+
+### Responsible Disclosure
+- **Allow reasonable time** for our team to respond and address issues
+- **Coordinate disclosure timing** to ensure users can protect themselves
+- **Provide clear communication** throughout the process
+
+### Research Ethics
+- **Avoid exploitation** of discovered vulnerabilities
+- **Demonstrate good faith** by not disrupting services, data, or communities
+- **Respect privacy** and avoid accessing user data
+- **Follow applicable laws** in your research activities
+
+## Safe Harbor Policy
+
+Talus Labs is committed to working constructively with security researchers and the broader security community.
+
+### Legal Protection
+When conducting vulnerability research according to this policy, we consider such research to be:
+
+- **Authorized** under applicable computer fraud and abuse laws
+- **Exempt** from Terms of Service restrictions that would interfere with security research
+- **Lawful and beneficial** when conducted in good faith and compliance with applicable laws
+
+### Research Scope
+This safe harbor applies to security research on:
+- **Talus Labs infrastructure** and operated services
+- **Nexus platform** and related open source software
+- **Public-facing applications** and websites operated by Talus Labs
+- **Smart contracts** deployed by Talus Labs
 
-1. Acknowledge receipt within 72 hours;
-2. Verify and confirm the issue;
-3. Determine affected versions and scope of impact;
-4. Conduct audits to find any potential similar and related issues;
-5. Prepare fixes for relevant in-production releases;
-6. Endeavor to communicate and coordinate with relevant ecosystem stakeholders, including the Nexus communities, at the appropriate times;
+### Good Faith Requirements
+To qualify for safe harbor protection, research must:
+- **Avoid privacy violations** and data access/modification
+- **Prevent service disruption** or data destruction
+- **Exclude social engineering** against employees or community members
+- **Provide reasonable disclosure time** before any public disclosure
+- **Comply with applicable laws** and agreements
 
-Please assist the Talus Labs security team by following these guidelines:
+## Scope and Exclusions
 
-- Allow a reasonable amount of time for the team to respond to and address the issue;
-- Avoid exploiting any issues or vulnerabilities that you may become aware of;
-- Demonstrate good faith by not disrupting the Talus Labs / Nexus networks, data, services or communities;
+### In Scope
+- **Platform vulnerabilities**: Nexus protocol and infrastructure
+- **Smart contract issues**: Logic flaws, economic exploits, access control
+- **Infrastructure security**: API endpoints, authentication, data handling
+- **Dependency vulnerabilities**: Third-party library issues affecting our services
+- **Configuration issues**: Misconfigurations leading to security exposure
 
-_Every effort will be made to handle and address security issues as quickly and efficiently as possible._
+### Out of Scope
+- **Social engineering** attacks on staff or users
+- **Physical security** of office locations
+- **Distributed denial of service (DDoS)** attacks
+- **Spam or content-based** attacks
+- **Issues in third-party** services not controlled by Talus Labs
 
-## Safe Harbor
+## Recognition and Rewards
 
-Talus Labs is committed to working with security researchers and the broader security community. We believe that responsible security research benefits everyone and helps keep our users safe.
+From time to time we may operate formal bug bounty programs. We may publish these on our web site, social media or other formal communication channels.
 
-**Legal Safe Harbor**: When conducting vulnerability research in accordance with this policy, we consider such research to be:
+We recognize valuable security research through:
+- **Public acknowledgment** in security advisories (with your permission)
+- **Direct communication** with our security team
+- **Community recognition** when appropriate
+- **Swag and merchandise** for significant contributions
 
-- **Authorized** in accordance with applicable computer fraud and abuse laws, and we will not initiate or recommend legal action against you for accidental, good-faith violations of this policy;
-- **Exempt** from restrictions in our Terms of Service/Use that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy;
-- **Lawful** and helpful to the overall security of the Internet when conducted in good faith and in compliance with applicable laws.
+## Questions and Support
 
-**Research Guidelines**: To qualify for safe harbor protection, security research must be conducted in good faith, which means:
+For questions about this security policy or the reporting process:
+- **Email**: [security-reports@taluslabs.xyz](mailto:security-reports@taluslabs.xyz)
+- **General security discussions**: Use GitHub Discussions in relevant repositories
 
-- You make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of Talus Labs services and the Nexus network;
-- You do not access, modify, or delete data belonging to others;
-- You do not perform attacks that could harm the reliability/integrity of our services or data;
-- You do not use social engineering techniques against our employees, contractors, or community members;
-- You provide us with reasonable time to address the issue before any disclosure;
-- You do not violate any law or breach any agreement in the course of your research.
+---
 
-**Scope**: This safe harbor applies to security research conducted on:
-- Talus Labs operated infrastructure and services
-- Open source Nexus software and related repositories
-- Public-facing websites and applications operated by Talus Labs
+**Last updated**: 2025-09-22
+**Version**: 2.0
 
-If you have questions about whether your research is consistent with this policy, please contact us at [security-reports@taluslabs.xyz](mailto:security-reports@taluslabs.xyz) before proceeding.
+*This policy is regularly reviewed and updated to reflect our evolving security practices and community needs.*