Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement process for management of thirdparty vulnerabilities #54

Closed
6 of 7 tasks
sam-github opened this issue Oct 11, 2017 · 14 comments
Closed
6 of 7 tasks

Implement process for management of thirdparty vulnerabilities #54

sam-github opened this issue Oct 11, 2017 · 14 comments
Assignees
@sam-github @lirantal @vdeturckheim

Comments

@sam-github
Copy link
Contributor

sam-github commented Oct 11, 2017
edited by lirantal
Loading

From my initial notes, please edit to add what I'm missing (we'll discuss in WG meeting):

  • (@sam-github) Setup storage for vulnerabilities and seed with nsp data. We are using JSON files committed into github repo
  • (@vdeturckheim) Set up HackerOne teams and workflow
  • document the process, so people know what the process is we are using the tool for
  • (@lirantal) Implement script to pull vulns from HackerOne into github ready JSON. see PR nswg-reporter: initial proposition for hackerone reporter #234
  • (@lirantal) Implement script to pull new vulns from Node Security Project (ones received after the intial dump) into github ready JSON - temporary measure until the nodefoundation becomes the primary reporting endpoint, at which point we can stop scraping
  • PR change to email address alias to direct vulnerability reports to HackerOne
  • PR change to https://nodejs.org/en/security/ to direct thirdparty package vulnerabilities be reported to Node Foundation, not Node Security Project
@reedloden
Copy link
Contributor

(part of this had been sent via e-mail, but moving it to this task)

Great to see this, and more than happy to help get things going from the HackerOne side!

@vdeturckheim -- My recommendation would be to set up a separate HackerOne program just for Node.js module vulnerabilities (separate from Node.js core issues). Perhaps https://hackerone.com/nodesecurity or something similar? You can just go to https://hackerone.com/teams/new to create a new program. Having a separate program makes it way easier to route issues to the right team, especially as per the other discussions I've seen about having Node.js core security issues be restricted to a much smaller group.

As far as pulling data from HackerOne, we have a full API available at https://api.hackerone.com/

@vdeturckheim
Copy link
Member

@reedloden thanks a lot. Yes, after playing abit with HackerOne, I got to the same conclusion, having two teams is the easiest way to go for us.

I'll create this team tonight or this weekend.

@vdeturckheim vdeturckheim mentioned this issue Oct 22, 2017
Merged
@sam-github sam-github mentioned this issue Oct 24, 2017
Closed
This was referenced Nov 28, 2017
Closed
Closed
@mhdawson mhdawson mentioned this issue Jan 1, 2018
Closed
@mhdawson
Copy link
Member

mhdawson commented Jan 4, 2018

@sam-github just wondering if you are still planning to get to the action you are tagged with in the description,

@mhdawson mhdawson mentioned this issue Jan 22, 2018
Closed
@lirantal
Copy link
Member

lirantal commented Feb 5, 2018

@sam-github im joining michael on the ping - if this is something you want to pass-on let me know and I'll be happy to jump in and help.

@mhdawson mhdawson mentioned this issue Feb 19, 2018
Closed
@mhdawson mhdawson mentioned this issue Mar 19, 2018
Closed
@vdeturckheim
Copy link
Member

vdeturckheim commented Mar 22, 2018
edited by lirantal
Loading

I think right now @lirantal is the most active on that front right?

@cjihrig
Copy link
Contributor

cjihrig commented Mar 22, 2018

@mhdawson is there anything specific that we need to discuss today, or can the security-wg-agenda label be removed (it's been there since November 2017)? My guess is that it can be removed.

@mhdawson
Copy link
Member

I think it would be worthwhile to get an update on @lirantal. If he's not heard back from Sam we should discuss how progress is made on the remaining items.

@lirantal
Copy link
Member

Didn't get an update from Sam, but I did start working on tooling around the HackerOne platform and automating vulnerability triage/reporting.

I'll further update on the issue when I have some of those tooling to share (waiting on some APIs from the HackerOne platform).

In the meanwhile I assigned the ticket to myself, Sam and Vladimir so I can track it better.

@mhdawson
Copy link
Member

mhdawson commented Apr 4, 2018

@lirantal thanks for the update.

@mhdawson mhdawson mentioned this issue Apr 16, 2018
Closed
@mhdawson mhdawson mentioned this issue May 14, 2018
Closed
@lirantal
Copy link
Member

Chiming back on this issue:

@pxlpnk
Copy link
Member

pxlpnk commented Jul 3, 2018

I am happy to build a thing that pulls the info from the nsp. @lirantal What kind of help do we need from @sam-github and @evilpacket ? I am not fully sure I understand everything yet.

@lirantal
Copy link
Member

lirantal commented Jul 3, 2018

@pxlpnk unfortunately I don't have anything on it either. I tried to ping both of them a while ago as well but didn't get any response.

We need some background info on how/where to pull in the data from NSP.

@mhdawson
Copy link
Member

mhdawson commented Jul 4, 2018

I reached out to @evilpacket directly through email asking he comment here.

@sam-github
Copy link
Contributor Author

We have a running process.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sam-github sam-github

@lirantal lirantal

@vdeturckheim vdeturckheim

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@sam-github @pxlpnk @lirantal @reedloden @cjihrig @vdeturckheim @mhdawson