We have something similar: <a href="https://github.com/SheetJS/js-xlsx/blob/master/CONTRIBUTING.md" rel="nofollow">https://github.com/SheetJS/js-xlsx/blob/master/CONTRIBUTING....</a><p>In our case, the root problem is twofold: developers in other related projects have been less-than-circumspect in code contributions, and thanks to the Microsoft Shared Source Agreements (<a href="https://www.microsoft.com/en-us/sharedsource/default.aspx" rel="nofollow">https://www.microsoft.com/en-us/sharedsource/default.aspx</a>) there are many people who have looked at protected code and signed agreements.<p>It is probably even more relevant for Scala.js since they are dealing with the JDK and Oracle has not been afraid to pursue potential violations.