Skip to content

Commit

Permalink
doc: add process for handling premature disclosure
Browse files Browse the repository at this point in the history
Add process for handling premature disclosure of
a security vulnerability in the public repos.

Signed-off-by: Michael Dawson <mdawson@devrus.com>

PR-URL: #36155
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Mary Marchini <oss@mmarchini.me>
Reviewed-By: Rich Trott <rtrott@gmail.com>
  • Loading branch information
mhdawson authored and danielleadams committed Dec 7, 2020
1 parent d4de7c7 commit 0401ffb
Showing 1 changed file with 30 additions and 0 deletions.
30 changes: 30 additions & 0 deletions doc/guides/collaborator-guide.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
* [Closing issues and pull requests](#closing-issues-and-pull-requests)
* [Author ready pull requests](#author-ready-pull-requests)
* [Handling own pull requests](#handling-own-pull-requests)
* [Security issues](#managing-security-issues)
* [Accepting modifications](#accepting-modifications)
* [Code reviews](#code-reviews)
* [Consensus seeking](#consensus-seeking)
Expand Down Expand Up @@ -87,6 +88,34 @@ to land but is [author ready](#author-ready-pull-requests), add the
`author ready` label. If you wish to land the pull request yourself, use the
"assign yourself" link to self-assign it.

### Managing security issues

Security issues should ideally be reported through the processes outlined in
[SECURITY.md][security reporting]. This allows the collaborators to
appropriately triage the report and address vulnerabilities in a planned
security release. If an issue is opened in the public repo
which describes a security issue, or if an issue is later identified to be
describing a security issue, take the following steps:

* Ask the originator to submit a report through Hacker one as outlined in
[SECURITY.md][security reporting].
* Move the issue to the private repo called
[premature-disclosures](https://github.com/nodejs/premature-disclosures).
* For any related pull requests create an associated issue in the
`premature-disclosures` repo and add a copy of the patch for the
pull request, and screenshots of discussion on the PR to the issue.
* Open a ticket with GitHub asking that the PRs be deleted through
[GitHub suppport](https://support.github.com/contact)
using Node.js(team) as the account organization.
* Open a new issue in the repository in which the issue was originally
reported with a brief FYI to the originator. `FYI @xxxx we asked github
to delete your PR while we work on releases in private.` with the title
`FYI - PR deleted #YYYY`.
* Email `tsc@iojs.org` with the link to the issues in the
`premature-disclosures` repo so that the TSC is aware that they
may need to expedite handling of the issue due to premature
disclosure.

## Accepting modifications

Contributors propose modifications to Node.js using GitHub pull requests. This
Expand Down Expand Up @@ -791,4 +820,5 @@ If you cannot find who to cc for a file, `git shortlog -n -s <file>` can help.
[git-username]: https://help.github.com/articles/setting-your-username-in-git/
[node-core-utils-credentials]: https://github.com/nodejs/node-core-utils#setting-up-credentials
[node-core-utils-issues]: https://github.com/nodejs/node-core-utils/issues
[security reporting]: https://github.com/nodejs/node/blob/HEAD/SECURITY.md
[unreliable tests]: https://github.com/nodejs/node/issues?q=is%3Aopen+is%3Aissue+label%3A%22CI+%2F+flaky+test%22

0 comments on commit 0401ffb

Please sign in to comment.