doc: stop managing CVEs

[sam-github]

@nodejs/tsc We are now using HackerOne to receive vulnerability reports, and one of the services they offer is CVE allocation.

I propose we:

1. contact Mitre and request no longer being a CNA
2. remove this document
3. archive https://github.com/nodejs-private/cve-management
4. remove CVE related mail aliases from https://github.com/nodejs/email

Tagging TSC agenda, I think this needs agreement from TSC.

[mhdawson]

Have we had a Hacker one issue for every security issue/CVE we have issued? We'd probably have to make sure to do that even for issues that are only reported or found internally.

[sam-github]

Yes, we should create H1 issues for vulnerabilities, even if we found them. I think this is happening, I can't find sign of internally reported vulns:

• No issues have had activity in the archived https://github.com/nodejs-private/security/issues since March 1, 2019, and there are no issues at all in https://github.com/nodejs-private/node-private/issues
• We haven't issued a CVE since Feb, 2019, according to git history.

[mcollina]

LGTM

[jasnell]

I'm -0 on this. Won't block it but I prefer retaining this for all the same reasons we became a CNA in the first place

[mhdawson]

I think we need a replacement file which explains how CVEs are managed through hacker one, turn around time etc. We probably also need the security release process to be updated to explain what needs to be done in order to ensure we get the CVE's in a timely manner through H1 etc.

My preference would be to have a bit more of a complete picture captured/documented before removing this.

[sam-github]

Discussed in nodejs/TSC#766

We'll wait until after the next sec release we do where CVEs are allocated, consider how we felt it went, then decide if we're going to stop being a CNA.