From 4494cb2e828e1c8499bd12bbbe9fe06b1b0616a8 Mon Sep 17 00:00:00 2001
From: Michael Dawson <mdawson@devrus.com>
Date: Tue, 27 Sep 2022 18:10:27 -0400
Subject: [PATCH] doc: add info on fixup to security release process
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- add details on what to do if we have an incomplete fix
- add details on how to update a CVE if necessary

Signed-off-by: Michael Dawson <mdawson@devrus.com>

PR-URL: https://github.com/nodejs/node/pull/44807
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Vladimir de Turckheim <vlad2t@hotmail.com>
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
---
 doc/contributing/security-release-process.md | 21 ++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/doc/contributing/security-release-process.md b/doc/contributing/security-release-process.md
index 468f9ad4e51740..6e744e877dab65 100644
--- a/doc/contributing/security-release-process.md
+++ b/doc/contributing/security-release-process.md
@@ -196,6 +196,27 @@ out a better way, forward the email you receive to
   [Security release stewards](https://github.com/nodejs/node/blob/HEAD/doc/contributing/security-release-process.md#security-release-stewards).
   If necessary add the next rotation of the steward rotation.
 
+## When things go wrong
+
+### Incomplete fixes
+
+When a CVE is reported as fixed in a security release and it turns out that the
+fix was incomplete, a new CVE should be used to cover subsequent fix. This
+is best practice and avoids confusion that might occur if people believe
+they have patched the original CVE by updating their Node.js version and
+then we later change the `fixed in` value for the CVE.
+
+### Updating CVEs
+
+The steps to correct CVE information are:
+
+* Go to the “CVE IDs” section in your program
+  sections (<https://hackerone.com/nodejs/cve_requests>)
+* Click the “Request a CVE ID” button
+* Enter the CVE ID that needs to be updated
+* Include all the details that need updating within the form
+* Submit the request
+
 [H1 CVE requests]: https://hackerone.com/nodejs/cve_requests
 [docker-node]: https://github.com/nodejs/docker-node/issues
 [email]: https://groups.google.com/forum/#!forum/nodejs-sec