Help in triaging node.js core security issues

[mcollina]

I would like to candidate myself to help in triaging Node.js core security issues in H1.

[jasnell]

+1

[Trott]

Is there a documented process for this? Is this the right repo etc.? @nodejs/security-wg

[mcollina]

There isn't one. There is one for the 3rd-party vuln database (https://github.com/nodejs/security-wg/blob/master/processes/security_team_onboarding.md).

I think this is governed by the TSC and not by the security-wg.

[jasnell]

The security triage team has nothing to do with the @nodejs/security-wg. It is the purvue of the TSC as part of the @nodejs/security team management. Generally speaking, all we need for this is no objections from @nodejs/tsc or @nodejs/security.

[bengl]

@mcollina

I think this is governed by the TSC and not by the security-wg.

@jasnell

The security triage team has nothing to do with the @nodejs/security-wg. It is the purvue of the TSC as part of the @nodejs/security team management.

I just want to clarify this for those reading and thinking "Hey wait, isn't it Security WG's job to define this sort of policy?".

As it turns out, the charter for the group states among its responsibilities:

Review and recommend processes for handling of security reports (but not the actual administration of security reports, which are reviewed by a group of people directly delegated to by the TSC).

While this is vague, it effectively states that the core triage team consists of folks who are approved by the TSC directly. So yes, by the Security WG's own charter (and likely other bits of policy spread around the org), this repo (TSC) is the correct place for this discussion, and the Security WG has no other policy for this (nor is it chartered to do so).

[mhdawson]

+1

[MylesBorins]

+1

…

On Mon, Sep 10, 2018, 5:38 PM Michael Dawson ***@***.***> wrote: +1 — You are receiving this because you are on a team that was mentioned. Reply to this email directly, view it on GitHub <#598 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAecV9EuQhoHEAUo19pNwa2ddGh8kb1mks5uZtu4gaJpZM4WhxqY> .

[Trott]

The security triage team has nothing to do with the @nodejs/security-wg.

I pinged Security WG because they often document our policies around this stuff because we fail to do so, not because I thought they had authority.

To wit: https://github.com/nodejs/security-wg/blob/master/processes/security_team_members.md#nodejs-security-team

[mcollina]

@Trott there is absolutely no policy around that team, apart from being a TSC responsibility.

[Trott]

Not sure if it was necessary but it seemed to be approved in a perfunctory fashion in today's TSC meeting, so I'm going to remove the tsc-agenda label.

[mcollina]

Cool! How do I get onboarded?

[vdeturckheim]

@mcollina If I get TSC approval, I can invite you on HackerOne org and we can schedule a call so I show you around :)