cncf
diff --git a/‎website/content/resources/project-services/audits/_index.md
+33 b/‎website/content/resources/project-services/audits/_index.md
+33
diff --git a/‎website/content/resources/project-services/cicd/_index.md
-5 b/‎website/content/resources/project-services/cicd/_index.md
-5
diff --git a/‎website/content/resources/project-services/cncf-support/_index.md
+62-1 b/‎website/content/resources/project-services/cncf-support/_index.md
+62-1
diff --git a/‎website/content/resources/project-services/faq.md
+97 b/‎website/content/resources/project-services/faq.md
+97
@@ -0,0 +1,33 @@
+---
+title: Code Analysis & Audits
+weight: 3
+description: CNCF sponsored audits and code analysis tooling
+---
+
+## Code analysis and fuzzing
+
+Fuzzing is a technique for dynamically testing applications to find reliability and security bugs. Several CNCF projects use fuzz testing to analyse their code such as [Envoy](https://github.com/envoyproxy/envoy/blob/main/docs/security/audit_fuzzer_adalogics_2021.pdf), [Fluent-bit](https://github.com/fluent/fluent-bit/blob/master/doc-reports/cncf-fuzzing-audit.pdf), [Vitess](https://github.com/vitessio/vitess/blob/main/doc/VIT-02-report-fuzzing-audit.pdf), [Linkerd2-proxy](https://github.com/linkerd/linkerd2-proxy/blob/main/docs/reports/linkerd2-proxy-fuzzing-report.pdf), [Prometheus](https://github.com/prometheus/prometheus/blob/main/promql/fuzz.go), [Kubernetes](https://github.com/kubernetes/kubernetes/tree/master/test/fuzz), and more. The integration of fuzzing is often combined with [OSS-Fuzz](https://github.com/google/oss-fuzz) (all of the just-mentioned projects are integrated into OSS-Fuzz), which is a free online service that will run your fuzzer continuously. We highly recommend integrating fuzzing into your project, but the benefits of fuzzing varies from project to project.
+
+Fuzzing works best with projects that have high code complexity, e.g. parsers, decoders, etc. but can be used in many other projects. You can fuzz projects in many languages, including C/C++, Go, Rust, Python and Typescript (not yet supported by OSS-Fuzz), and the type of bug you will find depends on which language your project is written in.
+
+To give an understanding of the success fuzzing has achieved in various projects:
+
+- Envoy has invested significantly in fuzzing and OSS-Fuzz has reported more than [1000](https://bugs.chromium.org/p/oss-fuzz/issues/list?q=proj%3Denvoy%20Type%3DBug&can=1) bugs as well as [115](https://bugs.chromium.org/p/oss-fuzz/issues/list?q=proj%3Denvoy%20Type%3DBug-Security&can=1) security relevant bugs
+- Fluent-bit has been fuzzed for slightly more than a year, and OSS-Fuzz has reported more than [200](https://bugs.chromium.org/p/oss-fuzz/issues/list?q=proj%3Dfluent-bit%20Type%3DBug&can=1) reliability issues and more than [100](https://bugs.chromium.org/p/oss-fuzz/issues/list?q=proj%3Dfluent-bit%20Type%3DBug-Security&can=1) security issues.
+
+For an example where fuzzing was determined to have limited effects consider [Cloud Custodian](https://github.com/cloud-custodian/cloud-custodian). Cloud Custodian is a project written in Python and is very horizontal in its architecture in that it does not have deep code complexities. This is an example where fuzzing will have limited results as discussed in detail in a [PR](https://github.com/cloud-custodian/cloud-custodian/pull/6832) on the Cloud Custodian repository. However, Cloud Custodian still benefited from fuzzing finding a bug in the code of Cloud Custodian where fuzzing could be applied, but, in comparison to the other projects mentioned above Cloud Custodian is not integrated into OSS-Fuzz.
+
+The following list indicates some common software properties that means your code is likely to benefit from fuzzing
+
+- High code complexity
+- Deep code paths
+- Accepts untrusted input
+- If a reliability or reliability issue occur then it can have significant consequences for systems
+- Is used as a library by other applications
+- Projects in memory unsafe languages should have a high priority for being fuzzed (but fuzzing is not exclusive to memory unsafe languages)
+
+## Security Audits
+
+CNCF works with many independent third parties to provide [Security audits](https://github.com/cncf/toc/blob/main/docs/projects.md#project-security-audits) to projects (e.g., Kubernetes security audit). To request a such an audit, please file a ticket within ServiceDesk
+
+We also support distributed systems safety research via independent third parties (e.g. <https://jepsen.io/>)
@@ -1,3 +1,64 @@
 ---
 title: CNCF Support
----
+weight: 1
+---
+
+## Program Management
+
+CNCF, our parent organization [The Linux Foundation](https://www.linuxfoundation.org/), and our [sibling projects](https://www.linuxfoundation.org/projects/) combined have years of experience in providing program management services for open source projects. We collaborate on best practices that we bring to CNCF-hosted projects.
+
+CNCF staff is available to assist and guide your project. Below are some of the activities:
+
+- Collaboration between maintainers and [LF Fellows](https://www.linuxfoundation.org/about/linux-foundation-fellows/) and CNCF sister projects in the LF to support knowledge sharing
+- Project governance creation and advice
+- Facilitating community meetings with support for online participation
+- Administrative support for communication and project processes
+- Biweekly or monthly check in meetings with CNCF Staff as requested
+- Project activity tracking and contribution reporting via [DevStats](https://devstats.cncf.io)
+
+## Design and Aesthetics
+
+CNCF offers graphic design resources for all projects, provided primarily by our in-house design team. When new projects enter the foundation, they receive a new logo, a website refresh if they wish, or an enhancement of their existing aesthetic. For example, see the [CloudEvents](https://cloudevents.io) or CNCF [SIG Security](https://github.com/cncf/sig-security) logo. If there is something creative you desire, please don't hesitate to reach out!
+
+All project logos and color schemes are readily available via the [CNCF artwork repo](https://github.com/cncf/artwork).
+
+## Legal Services
+
+Legal services keep a project healthy and in compliance with licensing requirements, intellectual property regimes, and industry norms. Specific legal services include:
+
+- Providing a [neutral home for project assets and trademarks](https://github.com/cncf/artwork)
+- Registering trademarks for your projects across geographies as needed
+- Support and responses to threatened litigation. For example, we worked with the Kubespray maintainers to change their name back from Kargo after receiving a C&D
+- Contributor License Agreement (CLA) system that integrates with GitHub
+- Developer Certificate of Origin (DCO) system that integrates with GitHub
+- Protect trademarks, such as a Uniform Domain-Name Dispute-Resolution Policy (UDRP) action to take over kubernetes.cn
+- Assistance with open source licensing review and strategy as needed
+- Access to legal staff should any legal questions arise
+
+## End User Community
+
+The CNCF's [End User Community](https://www.cncf.io/people/end-user-community/) includes over 140 top companies and startups that depend on cloud native technologies and are committed to collaborative infrastructure development. The End User Community is an active participant in key technology decisions by CNCF-hosted projects with leadership positions on the TOC and contributions to many CNCF projects.
+
+For the definition of an end user see the [TOC FAQ](https://github.com/cncf/toc/blob/main/FAQ.md#what-is-the-definition-of-an-adopter) on adopters.
+
+CNCF end users are telling their stories to help elevate the technical conversations to business objectives and challenges. CNCF projects are featured in these use cases and the impact cloud native projects are having on their business. You can explore [case studies by project](https://www.cncf.io/case-studies/), such as Prometheus or Envoy.
+
+## Internationalization
+
+The CNCF has professional staff located in Asia Pacific to assist projects with their activities in that region. We offer internationalization support including:
+
+- Assistance for projects presenting at meetups and events.
+- Simultaneous live translations in both Chinese and English for our flagship KubeCon + CloudNativeCon China.
+- Translation services for projects that wish to have blog posts translated into other languages, see [Falco](https://falco.org/ja/) as an example.
+
+## Certification and Training Services
+
+The CNCF, along with The Linux Foundation, has made a major investment in implementing [training](https://www.cncf.io/certification/training/), expert certification for Kubernetes [developers](https://www.cncf.io/certification/ckad/) and [administrators](https://www.cncf.io/certification/cka/), and provider certification programs for Kubernetes as well as training for CNCF projects Prometheus and Fluentd. We have also worked with The Linux Foundation training team to develop self-paced online courses that can scale up a project's reach beyond what's possible using instructor-led courses. Over time, we expect to expand the training options to cover other projects.
+
+Examples of training we've already developed include:
+
+- Free Introduction to [Kubernetes course on edX](https://www.edx.org/course/introduction-to-kubernetes) MOOC
+- [Certified Kubernetes Administrator (CKA)](https://www.cncf.io/certification/cka/) exam
+- [Certified Kubernetes Application Developer (CKAD)](https://www.cncf.io/certification/ckad/)
+- [Monitoring Systems and Services with Prometheus](https://training.linuxfoundation.org/training/monitoring-systems-and-services-with-prometheus-lfs241/)
+- [Kubernetes and Cloud Native Associate (KCNA)](https://www.cncf.io/certification/kcna/)
@@ -0,0 +1,97 @@
+---
+title: FAQ
+weight: 4
+description: Frequently Asked Questions by maintainers
+---
+
+## FAQ
+
+### How do I file a ticket with the Service Desk?
+
+If you're a CNCF project committer/maintainer, all you have to do is visit [the web portal](https://servicedesk.cncf.io/) to request support.
+
+All CNCF maintainers are listed [here](http://maintainers.cncf.io/).
+
+### What happens if I want to use a tool or service not listed here?
+
+Projects are welcome to use their own tools in the CNCF, we are a strong supporter of choice and flexibility. If you're interested in using a new tool and want CNCF to officially support it, please file a ticket and we will see what we can do to help!
+
+### I have a project I want to donate to the CNCF
+
+Awesome! To contribute your project to CNCF or discuss how CNCF can help your project, email <[email protected]> and read the [TOC repo](https://github.com/cncf/toc#projects) for further information. 
+
+### Is there an SLA for Service Desk issues?
+
+Yes, you should receive a response within 48 hours.
+
+### How much budget is available for projects?
+
+The CNCF doesn't set a fixed amount of budget for each project and will work with you best on your needs.
+
+### How do I file a security CVE as a project?
+
+GitHub has also recently improved the ability to do security disclosures and generate CVEs, we recommend projects use this: <https://help.github.com/en/github/managing-security-vulnerabilities/about-github-security-advisories#cve-identification-numbers> - As a backup, you can submit a CVE using the MITRE CVE submission form: <https://cve.mitre.org/cve/request_id.html> (The CNCF is currently not a CNA).
+
+### How do I create a security disclosure process, e.g., SECURITY.MD file?
+
+It is recommended that CNCF projects create a security disclosure process to make it easier for adopters to report issues.
+
+There is no one set way, you can look at other CNCF projects for examples:
+<https://github.com/envoyproxy/envoy/blob/main/SECURITY.md>
+<https://github.com/etcd-io/etcd/blob/main/security/README.md>
+
+Google has also put together a set of templates that may be useful:
+<https://github.com/google/oss-vulnerability-guide>
+
+### How do I share credentials, passwords, or other confidential information?
+
+The CNCF doesn't enforce the projects to use any specific tool for sharing credentials, passwords or other confidential information, however we recommend using [Keybase](https://keybase.io/) or applying for 1Password's [free open source plan](https://github.com/1Password/1password-teams-open-source).
+
+### How can I use the computing infrastructure provided by the CNCF?
+
+The CNCF prefers projects evaluate using our [Community Cluster](https://github.com/cncf/cluster) first. We have partnered with various providers that offer discounted or free services for CNCF projects. For example, CNCF projects may use the credits offered by [Amazon Web Services](https://www.cncf.io/announcement/2019/11/19/cloud-native-computing-foundation-receives-200000-in-credits-from-amazon-web-services-aws/) or [Oracle](https://www.cncf.io/blog/2024/02/02/oracle-oci-credits-are-now-available-to-cncf-projects-here-is-what-you-need-to-know/) for their upstream testing, CI/CD, and other purposes. See the [Tools](#tools) sections on this page for more details.
+
+To benefit from one of these offers, please submit the Service Desk ticket with a detailed description of the request, including the purpose, a list of the desired services, and a rough cost.
+
+Code being run must be 100 percent open source and must not include any sensitive data.
+
+Please note that available computing resources are limited so we may ask you to reduce your usage when there is high demand for the available credits. Specifically, please consider shutting down the unused computing resources, use automation to terminate the bare metal/virtual machines if they are not intended to be used 24/7, use spot instances if applicable etc. Please estimate your budget to use no more than $3000/month USD in AWS or Oracle credits. If you expect higher resource usage on a regular basis, please consider using the [CNCF Cluster](https://github.com/CNCF/cluster) instead.
+
+The CNCF expects fair usage of the allocated resources and credits, and reserves the right to terminate any allocated infrastructure resources and revoke the access to them in the case of violation of these rules.
+
+### My project is affected by the [Docker Hub rate limits policy changes](https://www.docker.com/increase-rate-limits), what can I do?
+
+In 2020, Docker announced the changes to [image retention](https://www.docker.com/blog/scaling-dockers-business-to-serve-millions-more-developers-storage/) and [data pull rates](https://www.docker.com/blog/scaling-docker-to-serve-millions-more-developers-network-egress/).
+
+The CNCF has reached an agreement with Docker that these limits can be eliminated for CNCF projects - if your project is affected by these changes, please consider applying to the [Docker Expanded Support for Open Source Software Projects](https://www.docker.com/blog/expanded-support-for-open-source-software-projects/) program via the [form](https://www.docker.com/community/open-source/application/).
+
+NOTE: To have your application processed correctly by Docker, please explicitly mention that your project is hosted by CNCF. Also, please note that the approval process may take a few weeks.
+
+### How do I get GitHub project and team management for my project?
+
+Each CNCF project can decide on its own how to manage GitHub invites and teams. Some are small enough and just do it manually, others use automated systems like these:
+
+<https://github.com/kubernetes/org>
+<https://github.com/cilium/team-manager>
+<https://github.com/apps/settings>
+<https://github.com/github/safe-settings>
+
+### My builds are slow, I would like to have expanded capacity for GitHub Actions, what can I do?
+
+The CNCF has a special partnership with GitHub, please file a [Service Desk](https://cncfservicedesk.atlassian.net/servicedesk/customer/portal/1/user/login) ticket and we can expand the amount of hosted runner minutes. Note, some projects have also expanded their build capacity by using the CNCF Cluster via [GHA External Runners](https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners)
+
+### I don't have a Service Desk account
+
+Head to the [Service Desk](https://cncfservicedesk.atlassian.net/servicedesk/customer/portal/1/user/login) website and try to log in, if you can't find an account, email <[email protected]> and one will be created for you.
+
+#### I am a Kubernetes SIG chair and I don't have a Service Desk account
+
+The CNCF Service Desk policy for the Kubernetes community is defined at [Kubernetes Steering repo](https://github.com/kubernetes/steering/blob/main/operations/service-desk.md).
+
+### I changed my email and lost my Service Desk access. What can I do to get it back?
+
+Email <[email protected]> and one will be created for you.
+
+### I am not happy with the level of service from CNCF staff, what can I do to escalate?
+
+If you aren't happy with the service provided by CNCF staff or with a resolution of an issue, you have a couple of options. If it's a technical matter, you can appeal to the [Technical Oversight Committee](https://github.com/cncf/toc). If it's a budget-related matter you can appeal to the CNCF [Developer Representatives](https://github.com/cncfdevreps/issues) on the Governing Board.