This document aims to provide a clear process for off-boarding existing WG members due to inactivity or any other eligible reason.
Every 6 months the WG will run through a process of validating membership relevancy as follows:
- An issue will be posted on the WG Repository that will mention all existing WG members to query whether participation in the WG is still relevant.
- After 2 weeks a reminder notice will be posted as an issue in this repository
- After 4 weeks move all of those who have not responded to emeritus
- Allow an additional 4 weeks grace period where people can request to be added back without requiring consensus reaching by the WG. Once the period is over, those who haven't responded to the issue will be removed from the WG (see
Revoking Access to Confidential Systemssection for details on access removal check-list) and kept as emeritus members.
At any time until the last time mark any member can chime in and request to retain their membership without requiring consensus reaching by the WG.
The following is a check-list of actions to be taken upon departure of users from the Security WG (either voluntarily or due to inactivity as described above):
- Remove user from Repo README, Triage Team
- Remove membership from Node.js WG GitHub Team
- Remove user from HackerOne platform
- Revoke any user-specific access tokens from HackerOne platform
- Remove user access from private team channels in slack
The following is a check-list of actions to be taken upon voluntary departure of users from the Third-Party Triage Team, when the users will remain in the Security WG.
- Remove user from Triage Team
- Remove user from HackerOne platform
- Revoke any user-specific access tokens from HackerOne platform
- Remove user access from private team channels in slack that are specific to the Triage Team (nodejs-security-wg.slack.com)