From 9cf23414d5883b1aabcfe5bddeb8a23396064f2e Mon Sep 17 00:00:00 2001 From: Michael Dawson Date: Tue, 17 Nov 2020 17:08:46 -0500 Subject: [PATCH] doc: add process for handling premature disclosure Add process for handling premature disclosure of a security vulnerability in the public repos. Signed-off-by: Michael Dawson PR-URL: https://github.com/nodejs/node/pull/36155 Reviewed-By: Matteo Collina Reviewed-By: Richard Lau Reviewed-By: Mary Marchini Reviewed-By: Rich Trott --- doc/guides/collaborator-guide.md | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/doc/guides/collaborator-guide.md b/doc/guides/collaborator-guide.md index e1dbf51386f7f2..a9e03c92ec95cf 100644 --- a/doc/guides/collaborator-guide.md +++ b/doc/guides/collaborator-guide.md @@ -7,6 +7,7 @@ * [Closing issues and pull requests](#closing-issues-and-pull-requests) * [Author ready pull requests](#author-ready-pull-requests) * [Handling own pull requests](#handling-own-pull-requests) + * [Security issues](#managing-security-issues) * [Accepting modifications](#accepting-modifications) * [Code reviews](#code-reviews) * [Consensus seeking](#consensus-seeking) @@ -87,6 +88,34 @@ to land but is [author ready](#author-ready-pull-requests), add the `author ready` label. If you wish to land the pull request yourself, use the "assign yourself" link to self-assign it. +### Managing security issues + +Security issues should ideally be reported through the processes outlined in +[SECURITY.md][security reporting]. This allows the collaborators to +appropriately triage the report and address vulnerabilities in a planned +security release. If an issue is opened in the public repo +which describes a security issue, or if an issue is later identified to be +describing a security issue, take the following steps: + +* Ask the originator to submit a report through Hacker one as outlined in + [SECURITY.md][security reporting]. +* Move the issue to the private repo called + [premature-disclosures](https://github.com/nodejs/premature-disclosures). +* For any related pull requests create an associated issue in the + `premature-disclosures` repo and add a copy of the patch for the + pull request, and screenshots of discussion on the PR to the issue. +* Open a ticket with GitHub asking that the PRs be deleted through + [GitHub suppport](https://support.github.com/contact) + using Node.js(team) as the account organization. +* Open a new issue in the repository in which the issue was originally + reported with a brief FYI to the originator. `FYI @xxxx we asked github + to delete your PR while we work on releases in private.` with the title + `FYI - PR deleted #YYYY`. +* Email `tsc@iojs.org` with the link to the issues in the + `premature-disclosures` repo so that the TSC is aware that they + may need to expedite handling of the issue due to premature + disclosure. + ## Accepting modifications Contributors propose modifications to Node.js using GitHub pull requests. This @@ -791,4 +820,5 @@ If you cannot find who to cc for a file, `git shortlog -n -s ` can help. [git-username]: https://help.github.com/articles/setting-your-username-in-git/ [node-core-utils-credentials]: https://github.com/nodejs/node-core-utils#setting-up-credentials [node-core-utils-issues]: https://github.com/nodejs/node-core-utils/issues +[security reporting]: https://github.com/nodejs/node/blob/HEAD/SECURITY.md [unreliable tests]: https://github.com/nodejs/node/issues?q=is%3Aopen+is%3Aissue+label%3A%22CI+%2F+flaky+test%22