Outlining the processes, tools and resources available for recognizing the work being done in the space of the Security WG security researchers.
We recognize the effort, and time spent by individual security researchers to submit reports and take part in the process of triaging and communicating with different projects and maintainers in order to resolve a security issue and create a better ecosystem for Node.js.
The following are tools and processes that may and should be used in order to recognize and credit this work:
A monthly tweet will be sent out from the official @nodejs account on the 25th that will mention four security researchers and their contribtion based off of information that the Security WG members will provide in the following spreadsheet
Hashtag: #nodejssecurity
Contact person: Zibby Keaton (@ZibbyKeaton)
Example link for tweet reference: https://twitter.com/nodejs/status/1012720630964326402
HackerOne maintains a leaderboard of active members in each program which can be queried to find members to recognize:
A Quarterly Spotlight will be a regular post from the Security WG that will list recent work from processes to vulnerabilities, in which we can feature several active hackers in our community and their disclosures.
Suggestions for processes listed below are still to-be-defined and require more work as they are beyond the direct responsibility of the WG.
Official recognition through listing on the Node.js website. TBD, see PR: nodejs/website-redesign#59
- Stickers
- T-shirts
- Books
Defining a process/threshold for what constitutes a significant contribution and what it yields (recognition artifacts, joining the wg, etc). Makes sense to pursue this after we're able to finalize SWAG or another means of significant contribution recognition