Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

doc: add security steward on/offboarding steps #41129

Closed
wants to merge 9 commits into from
Closed

doc: add security steward on/offboarding steps #41129

Changes from 3 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
ef6e95e
doc: add security steward on/offboarding steps
mhdawson Dec 9, 2021
19c9fb5
Update doc/guides/security-steward-on-off-boarding.md
mhdawson Dec 10, 2021
8813bd8
Update doc/guides/security-steward-on-off-boarding.md
mhdawson Dec 10, 2021
174df2a
Update doc/guides/security-steward-on-off-boarding.md
mhdawson Dec 10, 2021
76f43d9
Update doc/guides/security-steward-on-off-boarding.md
mhdawson Dec 10, 2021
d4700fb
Update doc/guides/security-steward-on-off-boarding.md
mhdawson Dec 15, 2021
f6d0bc2
Update doc/guides/security-steward-on-off-boarding.md
mhdawson Dec 15, 2021
a70b390
Update doc/guides/security-steward-on-off-boarding.md
mhdawson Dec 15, 2021
5411024
Update security-steward-on-off-boarding.md
mhdawson Dec 15, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
29 changes: 29 additions & 0 deletions doc/guides/security-steward-on-off-boarding.md
View file
Open in desktop
@@ -0,0 +1,29 @@
# Security Steward Onboarding/OffBoarding

## Onboarding

* Confirm the new steward agrees to keep all private information confidential
to the project and not to use/disclose to their employer.
* Add them to the security-stewards team in the GitHub nodejs-private
mhdawson marked this conversation as resolved.
Show resolved Hide resolved
organization
* Add them to the standard team in H1 using this
[page](https://hackerone.com/nodejs/team_members);
mhdawson marked this conversation as resolved.
Show resolved Hide resolved
* Add them to the
[jenkin-admins team](https://GitHub.com/orgs/nodejs/teams/jenkins-admins)
in the GitHub nodejs org. This is needed for them to be able
to lock/unlock the CI during a security release.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't object to this, but this is a change -- currently locking/unlocking the CI for a security release is documented as being something to request the build team to do (see the template issue text for "Notify build-wg of upcoming security release date by opening an issue in nodejs/build to request WG members are available to fix any CI issues." in https://github.com/nodejs/node/blob/master/doc/guides/security-release-process.md).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok that makes sense to me. I'll remove that part for now.

mhdawson marked this conversation as resolved.
Show resolved Hide resolved
* Add them as managers of the
[nodejs-sec](https://groups.google.com/g/nodejs-sec/members) mailing list.

## Offboarding

* Remove them from security-stewards team in the GitHub nodejs-private
organization
mhdawson marked this conversation as resolved.
Show resolved Hide resolved
* Unless they have access for another reason, remove them from the
standard team in H1 using this
[page](https://hackerone.com/nodejs/team_members).
* Unless they are a Jenkins admin for another reason, remove them from the
[jenkin-admins team](https://GitHub.com/orgs/nodejs/teams/jenkins-admins)
in the GitHub nodejs org.
mhdawson marked this conversation as resolved.
Show resolved Hide resolved
* Downgrade their account to regular member in the
[nodejs-sec](https://groups.google.com/g/nodejs-sec/members) mailing list.