From e09fb87f43a55cf29cefbcc03ec72abeff6cdf7d Mon Sep 17 00:00:00 2001 From: Rafael Gonzaga Date: Tue, 27 Sep 2022 13:11:53 -0300 Subject: [PATCH] doc: add extra step for reporter pre-approval As discussed in the #security-triagge (OpenJS channel). To avoid insufficient CVE fixes across Security Release, might make sense to request a reporter pre-approval. --- doc/contributing/security-release-process.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/contributing/security-release-process.md b/doc/contributing/security-release-process.md index 75a531560ea06b..b8645be4cdc98e 100644 --- a/doc/contributing/security-release-process.md +++ b/doc/contributing/security-release-process.md @@ -66,6 +66,10 @@ The current security stewards are documented in the main Node.js * [ ] Check that all vulnerabilities are ready for release integration: * PRs against all affected release lines or cherry-pick clean * Approved + * (optional) Approved by the reporter + * Build and send the binary to the reporter according to its architecture + and ask for a review. This step is important to avoid insufficient fixes + between Security Releases. * Pass `make test` * Have CVEs * Make sure that dependent libraries have CVEs for their issues. We should