doc: add extra step for reporter pre-approval

As discussed in the #security-triagge (OpenJS channel). To avoid insufficient CVE fixes across Security Release, might make sense to request a reporter pre-approval.
nodejs · Sep 27, 2022 · 5860adc · 5860adc
1 parent e0c5b44
commit 5860adc
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/doc/contributing/security-release-process.md b/doc/contributing/security-release-process.md
@@ -66,6 +66,10 @@ The current security stewards are documented in the main Node.js
 * [ ] Check that all vulnerabilities are ready for release integration:
   * PRs against all affected release lines or cherry-pick clean
   * Approved
+  * (optional) Approved by the reporter
+    * Build and send the binary to the reporter according to its architecture
+      and ask for a review. This step is important to avoid insufficient fixes
+      between Security Releases.
   * Pass `make test`
   * Have CVEs
     * Make sure that dependent libraries have CVEs for their issues. We should