Skip to content

Process for making a security advisory

Jump to bottom
Rand McKinney edited this page Nov 7, 2017 · 3 revisions

Someone in engineering will take point on this, and the documentation is not updated until AFTER the affected module has been updated and published to npm. This is very important, because otherwise the exploit will be publicized and users won't have any recourse to correct it.

Once npm is updated:

  1. Get description of the advisory from engineering.
  2. Create new page titled "Security advisory MM-DD-YYY" (fill in the date).
  3. Format of page is standardized and should match existing advisories, e.g. Security advisory 09-21-2017. There should be headings for:
    • Description
    • Reported by
    • Versions affected
    • Solution
  4. If you open a PR, make sure the appropriate people in eng. review it; or eng. may open the PR and you do a copy-edit review.
  5. Land the PR.
  6. Post to the LoopBack Developer Google Group and Announcements Mailing List. Make the post an "announcement" and "pin" it so it's always displayed at the top.
  7. Let Dave W know and send him the link to the advisory so he can tweet about it.
Clone this wiki locally