Enforcing a Code of Conduct When a Contributor Violates It

You added a Code of Conduct to your repository months ago and hoped you'd never need it. Now someone has filed a report, or you've witnessed behavior that clearly crosses the line. The document exists — but nobody told you what to actually do when this moment arrives.

This guide covers exactly that: the practical steps from receiving a report to closing the case, written for maintainers who want to handle things fairly without letting the situation drag on or spiral.

What you'll learn

• How to receive and acknowledge a violation report without bias
• How to investigate the incident without making it worse
• What enforcement actions are available and when to use each one
• How to communicate your decision to all parties
• Common mistakes maintainers make and how to avoid them

Before You Receive a Report: Have a Process Ready

Enforcement only works if there's a clear process behind it. If your Code of Conduct lists an email address but nobody checks it, or if one maintainer handles reports about another maintainer, you already have a problem before anything happens.

At minimum, define two things before a report lands: who receives reports and who makes the final call. For a solo-maintainer project, this might just be you, and that's fine — but name it explicitly. For a project with multiple maintainers, the person named in a report should recuse themselves from the decision entirely.

If you're using the Contributor Covenant or a similar template, read the enforcement section carefully. Many projects copy the document but skip building the process it assumes you have.

Receiving the Report

When a report comes in, your first job is to acknowledge it — not to investigate, not to judge, just to confirm the person was heard. Send a reply within 24 hours that confirms receipt, gives a rough timeline, and tells them what happens next.

Keep the acknowledgment short and factual:

Thank you for reaching out. We've received your report and will review it carefully. We'll follow up within [3–5 days] with next steps. We may contact you if we need clarification.

Do not promise a specific outcome at this stage. Do not share the reporter's identity with anyone yet. If the report came through a public channel (like a GitHub issue), move the conversation private immediately.

Gathering the Facts

Before you make any decision, collect the full picture. This means reading the original incident in its original context — not a summary — and noting what was said, where, and when.

Make a private record that captures:

• The exact behavior reported (direct quotes or links, not paraphrases)
• The date and platform where it occurred
• Whether it was a one-time event or part of a pattern
• Any relevant prior history with this contributor

If you need more information from the reporter, ask specific questions. Avoid open-ended prompts like