Scrolls
5 min read
On this page

Codes of Conduct

A code of conduct is a document that sets behavioral expectations for everyone participating in an open source project. It defines what is acceptable, what is not, and what happens when someone crosses the line. Most successful open source projects have one. The ones that do not often wish they did, usually after an incident they had no framework to handle.

Why You Need One

The argument against codes of conduct is that they are unnecessary bureaucracy for reasonable adults. The argument for them is that not everyone behaves reasonably, and when someone does not, you need a pre-established framework to respond. Without one, maintainers are left improvising during a crisis, which usually goes badly.

What a code of conduct does:

  Sets expectations
    New participants know what behavior is expected before they join.
    There is no ambiguity about whether personal attacks are tolerated.

  Protects contributors
    People from underrepresented groups are disproportionately targeted
    by harassment in open source. A code of conduct signals that the
    project takes their safety seriously.

  Gives maintainers tools
    When someone violates norms, maintainers can point to a document
    instead of making up consequences on the spot. "You violated
    section 3 of our code of conduct" is clearer and less personal
    than "I think you were rude."

  Reduces legal risk
    For projects backed by companies or foundations, a code of conduct
    demonstrates a commitment to a safe environment.

  Attracts contributors
    Many developers, especially those from marginalized groups, check
    for a code of conduct before contributing. Its absence is a red flag.

GitHub research from 2017 found that 93% of open source contributors had experienced negative behavior in open source, and 50% had witnessed it directed at someone else. The problem is not theoretical.

The Contributor Covenant

The Contributor Covenant is the most widely adopted code of conduct in open source. Created by Coraline Ada Ehmke in 2014, it is used by over 100,000 projects, including Kubernetes, Rails, Swift, Go, Rust, Linux, and .NET.

Contributor Covenant key sections:

  Our Pledge
    "We as members, contributors, and leaders pledge to make participation
    in our community a harassment-free experience for everyone, regardless
    of age, body size, visible or invisible disability, ethnicity, sex
    characteristics, gender identity and expression, level of experience,
    education, socio-economic status, nationality, personal appearance,
    race, caste, color, religion, or sexual identity and orientation."

  Our Standards
    Examples of positive behavior:
    - Demonstrating empathy and kindness
    - Being respectful of differing opinions
    - Giving and gracefully accepting constructive feedback
    - Focusing on what is best for the community

    Examples of unacceptable behavior:
    - Sexualized language or imagery
    - Trolling, insulting, or derogatory comments
    - Public or private harassment
    - Publishing others' private information without permission
    - Other conduct that could reasonably be considered inappropriate

  Enforcement Responsibilities
    Community leaders are responsible for clarifying and enforcing standards.
    They will take corrective action in response to any behavior they deem
    inappropriate, threatening, offensive, or harmful.

  Scope
    Applies in all community spaces and when someone is officially
    representing the community in public spaces.

  Enforcement
    Instances of unacceptable behavior may be reported to community leaders
    responsible for enforcement at [contact email].
    All complaints will be reviewed and investigated promptly and fairly.

Adopting the Contributor Covenant

Steps to adopt:

  1. Copy the text from contributor-covenant.org
  2. Save it as CODE_OF_CONDUCT.md in your repository root
  3. Fill in the contact email for reports
  4. Fill in the enforcement guidelines section
  5. Link to it from your README and CONTRIBUTING.md
  6. Announce it to existing contributors

GitHub provides a built-in feature to add a code of conduct to any repository. When you add a CODE_OF_CONDUCT.md file, GitHub displays it prominently on the repository's community profile.

Other Codes of Conduct

While the Contributor Covenant is the most common, other options exist for projects with different needs.

Alternative codes of conduct:

  Citizen Code of Conduct
    More detailed than the Contributor Covenant. Includes specific
    examples of harassment and a more structured enforcement process.
    Used by some larger communities.

  Ubuntu Code of Conduct
    Emphasizes being considerate, respectful, and collaborative.
    Less focused on prohibited behaviors, more on positive norms.
    Used by Ubuntu and related Canonical projects.

  Django Code of Conduct
    Tailored for the Django community. Includes a standing committee
    for enforcement. One of the earliest codes of conduct in open
    source (adopted 2013).

  Go Community Code of Conduct
    Based on the Contributor Covenant with additions specific to
    Google's expectations and Go community norms.

  Linux Kernel Code of Conduct
    Adopted in 2018, replacing the "Code of Conflict." Based on
    the Contributor Covenant. Its adoption was controversial but
    widely regarded as overdue given the kernel community's
    historically hostile culture.

For most projects, the Contributor Covenant is the right choice. It is widely recognized, well-tested, and easy to adopt. Only consider alternatives if your community has specific needs that the Contributor Covenant does not address.

Enforcement

A code of conduct without enforcement is decoration. The hardest part is not writing the document. It is following through when someone violates it, especially when that someone is a prominent community member.

The Enforcement Ladder

The Contributor Covenant suggests a graduated enforcement approach:

Enforcement levels:

  1. Correction
     Trigger: Minor, first-time offense (casual slur, dismissive comment)
     Action: Private message explaining what was wrong and why.
     Effect: The person is expected to apologize and adjust behavior.

  2. Warning
     Trigger: Repeated minor offense or a single moderate offense
     Action: Formal warning with specific consequences for continued behavior.
     Effect: No interaction with the people involved for a specified period.
             Violation of these terms may lead to a temporary ban.

  3. Temporary Ban
     Trigger: Serious violation or sustained inappropriate behavior
     Action: Temporary ban from all community interaction (issues, PRs,
             chat, events) for a specified period.
     Effect: Violating the ban terms results in a permanent ban.

  4. Permanent Ban
     Trigger: Pattern of violations, or a single egregious violation
             (threats, doxxing, sustained harassment)
     Action: Permanent removal from all community spaces.
     Effect: No appeal unless explicitly offered.

Handling Reports

When someone reports a violation:

  1. Acknowledge the report within 24 hours
     "Thank you for reporting this. We are reviewing it."

  2. Review the evidence
     Read the messages, check logs, talk to witnesses if needed.
     Do not discuss the report publicly.

  3. Decide on action
     Use the enforcement ladder. Consider severity, history, and
     whether the behavior was intentional.

  4. Communicate the decision
     Tell the reporter what action was taken (without revealing
     private details about the violator).
     Tell the violator what they did, why it was a violation,
     and what the consequences are.

  5. Document internally
     Keep a private record of all reports and decisions.
     This protects against claims of inconsistent enforcement
     and helps identify patterns.

  6. Follow up
     Check in with the reporter after a week. Is the behavior
     continuing? Do they feel safe?

Real-World Enforcement Examples

The Linux kernel's adoption of the Contributor Covenant in 2018 was one of the most high-profile code of conduct adoptions in open source history. For years, Linus Torvalds was known for verbally abusive behavior on the kernel mailing list, including personal insults and profanity directed at contributors. He took a temporary break to work on his behavior, and the kernel adopted the Contributor Covenant, replacing the largely ineffective "Code of Conflict."

The Node.js community faced enforcement challenges when a prominent contributor engaged in hostile behavior. The Technical Steering Committee used its code of conduct to issue warnings and ultimately remove the contributor's access. The process was painful but demonstrated that enforcement applies equally to everyone.

Creating a Welcoming Environment

A code of conduct is necessary but not sufficient. A welcoming environment requires active effort beyond the document.

Creating a welcoming environment:

  Language matters
    Use inclusive language in documentation, issues, and discussions.
    Avoid jargon that excludes newcomers. Replace "it's obvious" with
    an actual explanation.

  Respond to hostility immediately
    Do not let hostile comments sit unaddressed. Even if you cannot
    take action immediately, publicly acknowledge that the behavior
    is not acceptable. "We do not talk to each other that way here."

  Welcome new participants
    When someone files their first issue or PR, welcome them.
    A simple "Thanks for your first contribution!" goes far.

  Diverse leadership
    If your entire maintainer team looks the same, your community
    will struggle to feel welcoming to people who do not look like
    the maintainers. Actively recruit diverse maintainers.

  Accessible spaces
    Consider time zones when scheduling meetings. Provide text
    alternatives for video content. Use plain language. Do not
    assume everyone has fast internet or expensive hardware.

The Uncomfortable Truth About Toxic Communities

Some open source communities are toxic, and the toxicity is often tolerated because the toxic person writes good code. This trade-off is a false economy.

The cost of tolerating toxicity:

  Visible cost
    Contributors who leave publicly, citing hostile behavior.
    Bad reputation on social media and developer forums.
    Blog posts and conference talks warning people away.

  Invisible cost
    Contributors who never show up because they heard it is hostile.
    Contributors who lurk but never participate because they fear
    being attacked.
    Diverse perspectives that never enter the project.
    Companies that choose a competing project because they do not
    want to associate with a toxic community.

  The math
    One toxic contributor who drives away ten potential contributors
    is a net negative, regardless of how much code they write.

The Ruby community confronted this directly after multiple high-profile incidents of harassment at conferences and in online spaces. Community leaders created and enforced codes of conduct at major Ruby conferences, and the community's reputation gradually improved.

Common Pitfalls

  • Adopting a code of conduct and never enforcing it. The document creates expectations. If someone violates it and nothing happens, the message is that rules do not apply. Future reporters will not bother reporting, and victims will leave silently.

  • Treating enforcement as punishment rather than protection. The purpose of enforcement is not to punish bad actors. It is to protect the community. Frame actions around safety, not retribution.

  • Only enforcing against outsiders. If a core maintainer violates the code of conduct and faces no consequences while a new contributor gets banned for the same behavior, the code of conduct is performative. Equal enforcement is non-negotiable.

  • No private reporting mechanism. If the only way to report a violation is to post publicly, many people will not report. Provide an email address or a private form. Make sure the reporter's identity is protected.

  • Waiting for a crisis to adopt one. Adopting a code of conduct in the middle of a community conflict looks reactive and political. Adopt one early when there is no controversy, so it is already established when you need it.

  • Making the code of conduct too long or legalistic. If nobody reads it, it cannot set expectations. The Contributor Covenant works because it is short enough to read in five minutes. Do not turn it into a legal document.

Key Takeaways

  • A code of conduct sets behavioral expectations, protects contributors, and gives maintainers a framework for handling violations. Most successful open source projects have one.
  • The Contributor Covenant is the standard choice. It is used by over 100,000 projects, is well-tested, and takes minutes to adopt.
  • Enforcement is the hard part. A code of conduct without enforcement is worse than no code of conduct because it creates expectations that are never met.
  • Use a graduated enforcement ladder: correction, warning, temporary ban, permanent ban. Document all reports and decisions privately.
  • A welcoming environment requires more than a document. It requires inclusive language, prompt responses to hostility, diverse leadership, and accessible spaces.
  • Tolerating toxic behavior because someone writes good code is a false economy. One toxic person who drives away ten contributors is a net loss.