Contributing
Thanks for taking the time to review the Trust Surface Framework (TSF).
This repository is published for consultation and improvement. Contributions are welcome, particularly from:
- board and executive governance roles
- risk and compliance professionals
- cybersecurity and IT leadership
- procurement / vendor governance
- NFP and public-interest organisations
What feedback is most valuable
Please focus on practical, adoption-oriented critique:
Board usability
- Is it explainable in 3–5 minutes?
- Would a board understand the reporting outputs?
Signal quality
- Are signals measurable and observable?
- Are they too technical or too vague?
Lifecycle practicality
- Can organisations realistically implement this without a major program?
Language and framing
- Does “Trust Surface” land as intended?
- Where does it risk being misunderstood as “attack surface rebranding”?
How to contribute
Option A: GitHub Issues (recommended)
Create an Issue using one of these prefixes:
- [Clarity] confusing wording, definitions, structure
- [Signal] add/remove/refine trust signals
- [Lifecycle] improvements to the lifecycle/adoption model
- [Governance] board/reporting/risk integration changes
- [Example] suggested use-case or scenario to include
Option B: Pull Requests
If you want to propose text changes directly:
- Keep edits small and focused
- Avoid introducing large new sections without discussion
- Preserve the “board-readable” tone (minimal jargon)
Contribution principles
- Prefer clarity over completeness
- Prefer observable/measurable over theoretical
- Prefer small additions over long lists
- Avoid turning the framework into a compliance checklist
Scope boundaries (for now)
To keep v0.x coherent, the following are out of scope unless explicitly planned:
- formal certification programs
- scoring that implies a definitive “safe/unsafe” label
- vulnerability scanning guidance (this is not a pentest framework)
Code of Conduct
Be constructive and respectful. Assume good intent. Focus critique on the framework, not individuals.