The Conjur team spends a lot of time thinking about security policies. We create them regularly for our own operations and to help our clients succeed in securing their infrastructure. They are our primary tool for communicating about how we will grant access and maintain control. But our technology is not the only thing we’re concerned about protecting from bad actors: people too are vulnerable, and so we are also making plans to respond to harassment and abuse.
Like a security policy, a code of conduct is a communication tool to help your team improve its standards, practice good social hygiene, and be prepared to handle stressful situations without causing injury. (Here’s ours.) This perspective is the key to avoiding a classic pitfall of community management: the attitude that says—we’re all adults, we don’t need written rules to tell us to treat each other kindly.
Security experts emphasize that it’s not enough to be knowledgeable about good security practices. If your environment is littered with opportunities to give up security to cut corners then you’re working in a booby-trapped space and somebody is going to get hurt. This is no less true in the social realm: to maintain an environment that does not injure, exclude, undermine, and silence members of your community, you have to have a plan that’s flexible, compassionate, and up to date.
Anatomy of a code of conduct
Standards of conduct are not decided by committee: whether or not you have a written policy, your community maintains unwritten practices. You can observe some of your community’s standards by listening, but what you won’t catch is what happens when unusual circumstances arise. Communicating and enforcing a complete and understandable code of conduct will help improve the quality of the actual practices that will protect people in your community, or leave them undefended.
Here’s what a code of conduct needs to do in order to be complete:
Name the community mission
Most software projects, Conjur included, are not intended as a forum for conversation about any and all topics. Keep things in scope and begin with a mission for your community. Ask yourself what sort of conduct contributes to better circumstances for realizing your mission, and give yourself permission to exclude conduct that doesn’t.
Conjur’s mission is to set a new standard for how development, security, and operations teams work together. We strive to give application developers protection from breaches and confidence that they can code safely and deliver reliable software fast without getting hacked. So we put that in the code of conduct and resolve that our community maintainership will serve that aim.
Broadcast your availability
People need to know how to contact you in case they witness abuse in your community or are targeted. They need to know you’re listening and will respond. Make it clear what avenues of contact are available, and ensure that you can maintain a reasonable response window.
Call out unacceptable behaviors
People who have experienced discrimination, harassment and abuse in software spaces know that they can’t count on general well-meaning rules like “be excellent to each other.” If you’re a software engineer, you might know the DRY principle (“Don’t Repeat Yourself”) and feel like it’s repetitious to give lots of examples that are obvious to you. But just because you’ve said “be respectful” doesn’t mean it’s redundant to say “sexist, racist, homophobic, transphobic, ableist or otherwise discriminatory jokes and language are unacceptable in our community and will not be tolerated.” If it matters to you, get it all out there; and understand that if it’s not out there, some people will interpret that as a signal that it doesn’t matter to you.
It’s important to emphasize that it is behaviors and patterns of behavior, not people, that you are describing as unacceptable. Behaviors can be changed, and words can be taken back, so focus on those and not on traits which are fixed. Per Jay Smooth, your process will be effective when you have the “What You Did” conversation, but not when you have the “What You Are” conversation.
A just culture is one where people are comfortable speaking out to resolve safety issues (whether social or technical) but they understand where the line is between acceptable and unacceptable behavior. If you only use your code of conduct reporting process in rare circumstances and in response to the worst offenses, this creates an obstacle to maintaining a just culture. A warning sign of this pitfall is the tendency to say “that person could have communicated better, but this doesn’t rise to the level of a code of conduct violation, so we don’t need to say anything unless it gets worse.”
To make people feel more comfortable making a report, empower the response team with a variety of options that they can use for lesser issues and push back against the tendency to attach shame to the resolution process. Every community member can prepare to be challenged on their behavior; it is better to challenge a good community member to improve than it is to let an incident slide that contributes to normalizing behavior we don’t want to see.
Related: prepare as an organization to accept consequences
If a core maintainer or sysadmin harasses someone, they may need to take some time off from their usual role in your project. Make sharing systems knowledge and responsibilities so that anyone can take a break if a need arises into part of your community planning process.
This implies that community planning shares goals in common with DevOps transformation and with good labor practices around vacations and personal time. Lean in to that!
It is possible to wait too long
If somebody in your community harasses another person and there’s no structure in place to deal with it, then regrettably your best opportunity to create a code of conduct has already passed. Sometimes this situation results in the abuse being reported on social media and creating bad public relations for your project & its maintainership, but more often and more insidiously, the harassed person silently leaves the project after seeing the problem go unacknowledged and finding no way to reach out.
If the person does reach out on social media, it is possible that they will face retaliation. The cycle of abuse and retaliation against those who speak out create a fraught environment for establishing social standards and creating a process to deal with issues constructively and compassionately.
Security researcher Bruce Schneier wrote about a similar dynamic in a recent post about security around elections:
It’s vital to agree on these procedures and policies before an election. Before the fact, when anyone can win and no one knows whose votes might be changed, it’s easy to agree on strong security. But after the vote, someone is the presumptive winner – and then everything changes. Half of the country wants the result to stand, and half wants it reversed. At that point, it’s too late to agree on anything.
By the time somebody in your community is hurting others, everything has changed. People now have incentive to argue in bad faith about what constitutes good community management, in order to manipulate the process to their own ends.
It’s not hard to find examples of misbehavior in software spaces. Trouble can come to you, and it’s up to you to be prepared, so don’t wait and don’t be dissuaded.
Create your code of conduct
If you participate in a software project, it’s time to start planning. Here are the steps to implement your own code of conduct:
Empower a small group to represent your community during the process
The process of adopting a code of conduct invites bikeshedding and needless controversy. Put an end to that before it begins by delegating to a small group of people representing the diversity of your community and empowering them to create and deliver your code of conduct. We got this idea from Free Software advocate and community leader Safia Abdalla who gave a brief, useful code of conduct breakdown at AlterConf.
Some people to think about including in your group:
- Stakeholders belonging to traditionally marginalized identities in your industry
- Your organization’s (or company’s) attorneys, if any
- Your initial abuse response team
- A representative of your marketing or social media team, if any
- Anyone in your organization who has experienced abuse or harassment online and who wants to advise the abuse remediation process
Watch out for common fallacies
Many of our software communities are populated by geeks of various stripes, and we’re vulnerable by some degree to the Geek Social Fallacies. Here are some of the fallacies as typically seen in software community management anti-patterns:
- “Ostracizers are evil, so we’ll never exclude anyone from our community except under the most extreme of circumstances.”Actually, a population of mildly abusive contributors left unchecked will silently exclude a large portion of your hypothetical contributors, who will self-select out of your community rather than put up with “acceptable” harassment. Give people support and opportunity to improve, but be prepared to show them the door if the behavior persists. Communities operating under this fallacy get slowly more abusive and accepting of harassment over time, so set a high bar.
- “Friends accept me as I am, so if we choose not to ban somebody from our community we should accept their behavior and move on. They act in this way everywhere else, and it doesn’t rise to the level where we need to ask them to leave, so it’s too much to expect them to behave differently here.”In fact, everyone is capable of behaving differently when the circumstances call for it. A person who falls somewhat short of community standards should be asked and expected to improve and to think again about how they can be a better citizen in our community.
- “Friends do everything together, so we need to get everybody’s input in order to make community decisions (like adopting a code of conduct or updating it.)”Really, there are many tasks better handled by a small team committed to doing what’s best for the whole community. Instead of getting everybody’s opinion up front, create and maintain robust channels for feedback and iteration on your community management practices.
Crib good content
Start with an organization you respect and use their code of conduct as a template. You’re free to start with ours, which is licensed Creative Commons BY-SA. We in turn used many ideas and whole paragraphs from NPM, Stumptown Syndicate, and the Rust Project, which are linked in our credits.
Ship it & revise it over time
A code of conduct sitting on the shelf isn’t doing you any good. Just like your software, don’t wait for perfection: ship it and iterate. Iterate on your COC group to make it more inclusive. Iterate on your language to make it clearer and more welcoming. Iterate on your enforcement practices to make them more humane, just, and constructive. And above all, keep your eye on your goal: creating confidence that misbehavior will be handled so that your community is unhindered from contributing to your mission.
Thank you for reading! We welcome your questions and feedback: connect with us on the CyberArk Commons.
CyberArk uses a collection of staff writers and practitioners to support the DevOps Security