Skip to content

Commit

Permalink
doc: add h1 summary to security release process
Browse files Browse the repository at this point in the history
PR-URL: #49112
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
  • Loading branch information
RafaelGSS authored and targos committed Nov 26, 2023
1 parent 3b82e9a commit 2247e52
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions doc/contributing/security-release-process.md
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,8 @@ The current security stewards are documented in the main Node.js
* [ ] pre-release: _**LINK TO PR**_
* [ ] post-release: _**LINK TO PR**_
* List vulnerabilities in order of descending severity
* Use the "summary" feature in HackerOne to sync post-release content
and CVE requests. Example [2038134](https://hackerone.com/bugs?subject=nodejs\&report_id=2038134)
* Ask the HackerOne reporter if they would like to be credited on the
security release blog page:
```text
Expand All @@ -81,6 +83,9 @@ The current security stewards are documented in the main Node.js
between Security Releases.
* Pass `make test`
* Have CVEs
* Use the "summary" feature in HackerOne to create a description for the
CVE and the post release announcement.
Example [2038134](https://hackerone.com/bugs?subject=nodejs\&report_id=2038134)
* Make sure that dependent libraries have CVEs for their issues. We should
only create CVEs for vulnerabilities in Node.js itself. This is to avoid
having duplicate CVEs for the same vulnerability.
Expand Down

0 comments on commit 2247e52

Please sign in to comment.