dev-sec · schurzi · Nov 17, 2022 · Nov 17, 2022
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -15,7 +15,7 @@ In order to contribute code please:
 1. Fork the project on GitHub
 2. Clone the project
 3. Add changes (and tests)
-4. Commit and push
+4. Commit, sign off and push your changes
 5. Create a merge-request
 
 To have your code merged, see the expectations listed below.
@@ -28,6 +28,24 @@ Some great guidelines can be found [here](https://wiki.openstack.org/wiki/GitCom
 
 ## Expectations
 
+## Sign off Your Work
+
+The Developer Certificate of Origin (DCO) is a lightweight way for contributors to certify that they wrote or otherwise have the right to submit the code they are contributing to the project.
+[Here is the full text of the DCO](http://developercertificate.org/).
+Contributors must sign-off that they adhere to these requirements by adding a `Signed-off-by` line to commit messages.
+
+```text
+This is my commit message
+
+Signed-off-by: Random J Developer <[email protected]>
+```
+
+Git even has a -s command line option to append this automatically to your commit message:
+
+```text
+git commit -s -m 'This is my commit message'
+```
+
 ### Don't reinvent the wheel
 
 This hardening project doesn't intend to reinvent the configuration stack for services. Aim to use official configuration projects first and provide hardening as a layer on top. The goal is remove the need for a user to configure all aspects of services and maintain security configuration. This way, the user can still configure a service using the interface provided by the official project.