fixing changes, add security

Author: clewellyn-nava

.gitleaks.toml

@@ -11,7 +11,5 @@ useDefault = true
 regexTarget = "match"
 description = "whitelist public and test secrets"
 regexes = [
-  '''a''',
-  '''b''',
-  '''c''',
+  '''abcdefghijklmnoppleasechange''',
 ]

COMMUNITY.md

@@ -44,84 +44,7 @@ The members of bluebutton-sample-client-python-react community are responsible f
 Total number of contributors: <!--CONTRIBUTOR COUNT START--> <!--CONTRIBUTOR COUNT END-->
 
 <!-- readme: contributors -start -->
-<table>
-    <tbody>
-        <tr>
-            <td align="center">
-                <a href="https://github.com/JFU-NAVA-PBC">
-                    <img src="https://avatars.githubusercontent.com/u/135686833?v=4" width="100;" alt="JFU-NAVA-PBC"/>
-                    <br />
-                    <sub><b>Jim Fuqian</b></sub>
-                </a>
-            </td>
-            <td align="center">
-                <a href="https://github.com/ajshred">
-                    <img src="https://avatars.githubusercontent.com/u/84713593?v=4" width="100;" alt="ajshred"/>
-                    <br />
-                    <sub><b>Adrian Jones</b></sub>
-                </a>
-            </td>
-            <td align="center">
-                <a href="https://github.com/dtisza1">
-                    <img src="https://avatars.githubusercontent.com/u/36048547?v=4" width="100;" alt="dtisza1"/>
-                    <br />
-                    <sub><b>David Tisza</b></sub>
-                </a>
-            </td>
-            <td align="center">
-                <a href="https://github.com/gmaciolek">
-                    <img src="https://avatars.githubusercontent.com/u/3953849?v=4" width="100;" alt="gmaciolek"/>
-                    <br />
-                    <sub><b>Gretchen Maciolek</b></sub>
-                </a>
-            </td>
-            <td align="center">
-                <a href="https://github.com/sb-benohe">
-                    <img src="https://avatars.githubusercontent.com/u/71290292?v=4" width="100;" alt="sb-benohe"/>
-                    <br />
-                    <sub><b>sb-benohe</b></sub>
-                </a>
-            </td>
-            <td align="center">
-                <a href="https://github.com/oragame">
-                    <img src="https://avatars.githubusercontent.com/u/22204906?v=4" width="100;" alt="oragame"/>
-                    <br />
-                    <sub><b>Don Seymour</b></sub>
-                </a>
-            </td>
-        </tr>
-        <tr>
-            <td align="center">
-                <a href="https://github.com/jimmyfagan">
-                    <img src="https://avatars.githubusercontent.com/u/90421499?v=4" width="100;" alt="jimmyfagan"/>
-                    <br />
-                    <sub><b>jimmyfagan</b></sub>
-                </a>
-            </td>
-            <td align="center">
-                <a href="https://github.com/stiwarisemanticbits">
-                    <img src="https://avatars.githubusercontent.com/u/57143602?v=4" width="100;" alt="stiwarisemanticbits"/>
-                    <br />
-                    <sub><b>Shivam Tiwari</b></sub>
-                </a>
-            </td>
-            <td align="center">
-                <a href="https://github.com/clewellyn-nava">
-                    <img src="https://avatars.githubusercontent.com/u/224594471?v=4" width="100;" alt="clewellyn-nava"/>
-                    <br />
-                    <sub><b>Connor Lewellyn</b></sub>
-                </a>
-            </td>
-            <td align="center">
-                <a href="https://github.com/bwang-icf">
-                    <img src="https://avatars.githubusercontent.com/u/178809349?v=4" width="100;" alt="bwang-icf"/>
-                    <br />
-                    <sub><b>bwang-icf</b></sub>
-                </a>
-            </td>
-        </tr>
-    <tbody>
-</table>
+
 <!-- readme: contributors -end -->
 
 ### Alumni

CONTRIBUTING.md

@@ -11,7 +11,7 @@ contributions.
 We encourage you to read this project's CONTRIBUTING policy (you are here), its
 [LICENSE](LICENSE.md), and its [README](README.md).
 
-### Workflow and Branhing
+### Workflow and Branching
 
 We follow standard GitHub Flow practices:
 
@@ -78,7 +78,7 @@ We welcome improvements to the project documentation. This includes:
 - Developer tutorials
 - Code comments and inline documentation
 
-Please file an [issue](https://github.com/CMSGov/ms-bb2-node-sdk/issues) for documentation improvements or submit a pull request with your changes.
+Please file an [issue](https://github.com/CMSGov/cms-bb2-python-sdk/issues) for documentation improvements or submit a pull request with your changes.
 
 **Documentation Resources:**
 - Developer documentation: https://cmsgov.github.io/bluebutton-developer-help/

README.md

@@ -137,27 +137,42 @@ This project follows standard GitHub flow practices:
 * Tests should be written for changes introduced
 * Each change should be deployable to production
 
-<!-- # Community
+# Community
+The Blue Button Web Server team is taking a community-first and open source approach to the product development of this tool. We believe government software should be made in the open and be built and licensed such that anyone can download the code, run it themselves without paying money to third parties or using proprietary software, and use it as they will.
 
-# Community Guidelines -->
+We know that we can learn from a wide variety of communities, including those who will use or will be impacted by the tool, who are experts in technology, or who have experience with similar technologies deployed in other spaces. We are dedicated to creating forums for continuous conversation and feedback to help shape the design and development of the tool.
+
+We also recognize capacity building as a key part of involving a diverse open source community. We are doing our best to use accessible language, provide technical and process documents, and offer support to community members with a wide variety of backgrounds and skillsets.
+
+# Community Guidelines
+Principles and guidelines for participating in our open source community are can be found in [COMMUNITY.md](COMMUNITY.md). Please read them before joining or starting a conversation in this repo or one of the channels listed below. All community members and participants are expected to adhere to the community guidelines and code of conduct when participating in community spaces including: code repositories, communication channels and venues, and events.
 
 # Governance
 For more information about our governance, see [GOVERNANCE.md](GOVERNANCE.md).
 
 # Feedback
 Got questions? Need help troubleshooting? Want to propose a new feature? Contact the Blue Button 2.0 team and connect with the community in our [Google Group](https://groups.google.com/forum/#!forum/Developer-group-for-cms-blue-button-api).
 
-# Policites
+# Policies
+### Open Source Policy
 
-# Public Domain
-This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the [CC0 1.0 Universal public domain dedication](https://creativecommons.org/publicdomain/zero/1.0/) as indicated in [LICENSE](LICENSE).
+We adhere to the [CMS Open Source Policy](https://github.com/CMSGov/cms-open-source-policy). If you have any questions, just [shoot us an email](mailto:opensource@cms.hhs.gov).
 
-All contributions to this project will be released under the CC0 dedication. By submitting a pull request or issue, you are agreeing to comply with this waiver of copyright interest.
+### Security and Responsible Disclosure Policy
 
----------------
-    
+_Submit a vulnerability:_ Vulnerability reports can be submitted through [Bugcrowd](https://bugcrowd.com/cms-vdp). Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 3 business days.
 
+For more information about our Security, Vulnerability, and Responsible Disclosure Policies, see [SECURITY.md](SECURITY.md).
 
+### Software Bill of Materials (SBOM)
 
+A Software Bill of Materials (SBOM) is a formal record containing the details and supply chain relationships of various components used in building software.
 
+In the spirit of [Executive Order 14028 - Improving the Nation's Cyber Security](https://www.gsa.gov/technology/it-contract-vehicles-and-purchasing-programs/information-technology-category/it-security/executive-order-14028), a SBOM for this repository is provided here: https://github.com/CMSGov/bluebutton-web-server/network/dependencies.
 
+For more information and resources about SBOMs, visit: https://www.cisa.gov/sbom.
+
+# Public Domain
+This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the [CC0 1.0 Universal public domain dedication](https://creativecommons.org/publicdomain/zero/1.0/) as indicated in [LICENSE](LICENSE).
+
+All contributions to this project will be released under the CC0 dedication. By submitting a pull request or issue, you are agreeing to comply with this waiver of copyright interest.

SECURITY.md

@@ -0,0 +1,12 @@
+# Security and Responsible Disclosure Policy
+
+The Centers for Medicare & Medicaid Services is committed to ensuring the security of the American public by protecting their information from unwarranted disclosure. We want security researchers to feel comfortable reporting vulnerabilities they have discovered so we can fix them and keep our users safe. We developed our disclosure policy to reflect our values and uphold our sense of responsibility to security researchers who share their expertise with us in good faith.
+
+*Submit a vulnerability:* Vulnerability reports can be submitted through [Bugcrowd](https://bugcrowd.com/cms-vdp). Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 3 business days.
+
+Review the HHS Disclosure Policy and websites in scope:
+[https://www.hhs.gov/vulnerability-disclosure-policy/index.html](https://www.hhs.gov/vulnerability-disclosure-policy/index.html).
+
+This policy describes *what systems and types of research* are covered under this
+policy, *how to send* us vulnerability reports, and *how long* we ask security
+researchers to wait before publicly disclosing vulnerabilities.

server/sample-bluebutton-config.json

@@ -1,7 +1,7 @@
 {
     "environment": "SANDBOX",
-    "client_id": "LHi4TsBoXwwwslUUxYFkNjtuVPvar4rVn10A6xHv",
-    "client_secret": "devhlKuz9NQXjNIUr5WfE9v4u0b9HzJVqt4XBqtAxdrwlAwru9yYHvRtrhmEAh8Ll57V7aTmr78TI59hz6l2ABwvQfZ2ou5h8g4sGqLuQ7NHvG2dPfSTy4auThnCdX8e",
+    "client_id": "<client_id>",
+    "client_secret": "<client_secret>",
     "callback_url": "http://localhost:3001/api/bluebutton/callback/",
     "version": 2
 }