Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

doc: revise security-reporting text in README #23407

Closed
wants to merge 1 commit into from

Conversation

Trott
Copy link
Member

@Trott Trott commented Oct 10, 2018

Simplify and clarify the security-reporting text in the README. Now is
also probably a good time to ping the security triage folks to make sure
the text is still accurate.

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • documentation is changed or added
  • commit message follows commit guidelines

Simplify and clarify the security-reporting text in the README. Now is
also probably a good time to ping the security triage folks to make sure
the text is still accurate.
@nodejs-github-bot nodejs-github-bot added the doc Issues and PRs related to the documentations. label Oct 10, 2018
@Trott
Copy link
Member Author

Trott commented Oct 10, 2018

How do I find out who is on nodejs-79566c66a30b0312@forwarding.hackerone.com so I can ask them if the current text and these changes are accurate? I can just email the address, I suppose, but what if I wanted to audit who is on the list? @nodejs/security-wg

@vsemozhetbyt vsemozhetbyt added the security Issues and PRs related to security. label Oct 10, 2018
@lirantal
Copy link
Member

what is that nodejs forwarding address for? seems to be an alias to the HackerOne Node core program? If so, @vdeturckheim should have access to see who is participating there.

Text LGTM.
Maybe we also want to mention the H1 core program? It might make the message a bit lengthier and confuse the user as to which should he choose (report on H1 or e-mail) so I'm ok with leaving it out.

@Trott
Copy link
Member Author

Trott commented Oct 10, 2018

what is that nodejs forwarding address for?

security@nodejs.org is the address we ask people to use when reporting security vulnerabilities in Node.js core.

The alias is defined in https://github.com/nodejs/email/blob/31a4b5cd3791d4cf14c484ac07574da0647921ee/iojs.org/aliases.json#L46-L51.

That's basically all I know, though. Although I imagine I could find more digging through git history and issue trackers spread out across the org. I'm hoping someone knows and will provide the answer, though.

@lirantal
Copy link
Member

Got it. I wasn't aware that we forward that directly to HackerOne.
So indeed @vdeturckheim can quickly take a look and tell you who is invited to that program.

@vdeturckheim
Copy link
Member

I theory the list is here https://github.com/nodejs/security-wg/blob/master/processes/security_team_members.md#team-that-triages-security-reports-against-node-core but it is highly outdated. I'll PR the updated list after lunch

@vdeturckheim
Copy link
Member

So I updated the list as of nodejs/security-wg#414

@Trott
Copy link
Member Author

Trott commented Oct 10, 2018

OK, so for this change, /ping @cjihrig @indutny @jasnell @mcollina @mhdawson @MylesBorins @rvagg @vdeturckheim

@Trott Trott added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Oct 11, 2018
Copy link
Contributor

@MylesBorins MylesBorins left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Trott added a commit to Trott/io.js that referenced this pull request Oct 12, 2018
Simplify and clarify the security-reporting text in the README. Now is
also probably a good time to ping the security triage folks to make sure
the text is still accurate.

PR-URL: nodejs#23407
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Yuta Hiroto <hello@hiroppy.me>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
@Trott
Copy link
Member Author

Trott commented Oct 12, 2018

Landed in bcbb937

@Trott Trott closed this Oct 12, 2018
Trott added a commit that referenced this pull request Oct 13, 2018
Simplify and clarify the security-reporting text in the README. Now is
also probably a good time to ping the security triage folks to make sure
the text is still accurate.

PR-URL: #23407
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Yuta Hiroto <hello@hiroppy.me>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
targos pushed a commit that referenced this pull request Oct 13, 2018
Simplify and clarify the security-reporting text in the README. Now is
also probably a good time to ping the security triage folks to make sure
the text is still accurate.

PR-URL: #23407
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Yuta Hiroto <hello@hiroppy.me>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
jasnell pushed a commit that referenced this pull request Oct 17, 2018
Simplify and clarify the security-reporting text in the README. Now is
also probably a good time to ping the security triage folks to make sure
the text is still accurate.

PR-URL: #23407
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Yuta Hiroto <hello@hiroppy.me>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins pushed a commit that referenced this pull request Oct 30, 2018
Simplify and clarify the security-reporting text in the README. Now is
also probably a good time to ping the security triage folks to make sure
the text is still accurate.

PR-URL: #23407
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Yuta Hiroto <hello@hiroppy.me>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
@codebytere codebytere mentioned this pull request Nov 27, 2018
rvagg pushed a commit that referenced this pull request Nov 28, 2018
Simplify and clarify the security-reporting text in the README. Now is
also probably a good time to ping the security triage folks to make sure
the text is still accurate.

PR-URL: #23407
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Yuta Hiroto <hello@hiroppy.me>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins pushed a commit that referenced this pull request Nov 29, 2018
Simplify and clarify the security-reporting text in the README. Now is
also probably a good time to ping the security triage folks to make sure
the text is still accurate.

PR-URL: #23407
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Yuta Hiroto <hello@hiroppy.me>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
@codebytere codebytere mentioned this pull request Nov 29, 2018
@Trott Trott deleted the revise-security-text branch January 13, 2022 22:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
author ready PRs that have at least one approval, no pending requests for changes, and a CI started. doc Issues and PRs related to the documentations. security Issues and PRs related to security.
Projects
None yet
Development

Successfully merging this pull request may close these issues.