From 8efd559347e2a0f98f7705fcb2a8236869133c48 Mon Sep 17 00:00:00 2001
From: Daniel Bevenius <daniel.bevenius@gmail.com>
Date: Mon, 23 Aug 2021 08:23:44 +0200
Subject: [PATCH] doc: add duplicate CVE check in sec. release doc
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This commit adds a note about only creating a CVE for Node.js
vulnerabilities.

The motivation for this is a recent HackerOne report where I created a
CVE for a c-ares issue. This CVE should have been created by the c-ares
project, and it was later, but we never updated our HackerOne report to
use their CVE number. Hopefully this extra note in the release doc will
help us check for this situaion and avoid this in the future.

PR-URL: https://github.com/nodejs/node/pull/39845
Refs: https://hackerone.com/reports/1178337
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
---
 doc/guides/security-release-process.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/doc/guides/security-release-process.md b/doc/guides/security-release-process.md
index a0986a5c04a889..bcad4687ccb612 100644
--- a/doc/guides/security-release-process.md
+++ b/doc/guides/security-release-process.md
@@ -40,6 +40,9 @@ information described.
   * Approved
   * Pass `make test`
   * Have CVEs
+     * Make sure that dependent libraries have CVEs for their issues. We should
+       only create CVEs for vulnerabilities in Node.js itself. This is to avoid
+       having duplicate CVEs for the same vulnerability.
   * Described in the pre/post announcements
 
 * [ ] Pre-release announcement [email][]: ***LINK TO EMAIL***