This document aims to provide a clear process for on-boarding new team members to the Node.js Security WG.
New members may self-nominate themselves, or be nominated to join the WG by existing members. They share an affinity to web or software security research, or activism around security and the Node.js project. All of which make good criteria to join the team but are not a closed list.
Every new member should be assigned a buddy to help mentor and coach them through the on-boarding period, relevant processes and activities that the WG handles.
A buddy is an active member of the WG who is familiar with the above topics, and should be recommended on the nomination issue/PR.
Open a Pull-Request in https://github.com/nodejs/security-wg that suggests to nominate a new team member. Provide as much background and context as possible which is relevant to this candidate and his potential future contributions to the Security WG.
References:
- Nominate Marcin Hoppe as member of the WG · Issue #163 · nodejs/security-wg · GitHub
- Nominate Gergely Nemeth as WG member by vdeturckheim · Pull Request #128 · nodejs/security-wg · GitHub
Patiently wait for feedback and +1’s from the team and a reasonable time to ensure nobody disagrees (7 days).
Once acceptance has been acquired by group members, the following should take place to setup the new member:
- Confirm that the new member has read, understands, and agrees to uphold the Code of Conduct. The work of triaging vulnerabilities in the Security WG is about handling sensitive matters with open source maintainers, and communication should be handled with care. If in doubt on how to communicate reach out to the Moderation team and ask for guidance. As a member of the Security WG please also be aware of public statements you make.
- Mentor should ping @cjihrig, @mhdawson, @sam-github or @ChALkeR to add the new member to the repository.
- New member should open a PR with his/her username added to the list in alphabetical order at: security-wg/README.md at master · nodejs/security-wg · GitHub
- New member should enable 2FA in GitHub
- New member should join the Security WG slack medium and confirm his identity by providing necessary slack user details in the following private discussion: Slack identity check
Please follow:
- New member should open a PR with his username added to security-wg/third_party_vuln_process.md at master · nodejs/security-wg · GitHub, where the username list is ordered alphabetically.
- New members should familiarize themselves with the 3rd party vulnerability triage process at: security-wg/third_party_vuln_process.md at master · nodejs/security-wg · GitHub
- New members should schedule an on-boarding demo session with their mentor to review the HackerOne platform where the new member receives a walk-through of our triage process.