Inadvertent disclosure #36155
Inadvertent disclosure #36155
Conversation
|
Review requested:
|
nodejs-github-bot
added
the
c++
|
Are the n-api changes here intentional? |
doc/guides/collaborator-guide.md
Outdated
|
|
||
| * Ask the originator to submit a report through Hacker one as outlined in | ||
| [SECURITY.md][security reporting]. | ||
| * Move the issue to the private repo called `premature-disclosures` |
There was a problem hiding this comment.
Link to the repository? Or should we keep it without a link on purpose?
Also, I assume it will be a repo on nodejs-private?
There was a problem hiding this comment.
I've not created the repo yet, but a link makes sense. It should only be accessible to those who have access to private repos within the org
There was a problem hiding this comment.
@mmarchini added the link in the first reference, not sure if we need to make all references a link or not.
There was a problem hiding this comment.
Also, I assume it will be a repo on nodejs-private?
No, its a private repo in the nodejs org as I don't believe we can move issues across organizations.
There was a problem hiding this comment.
I see. The downside is that folks who have access to private repos in this org but not on the repo we usually use for security releases will have access to the issue. It's probably fine though, it only means some folks in moderation and CommComm will have access to the issue even when they don't have access to security release discussions (which is still better than keeping the issue public).
There was a problem hiding this comment.
Add process for handling premature disclosure of a security vulnerability in the public repos. Signed-off-by: Michael Dawson <mdawson@devrus.com>
mhdawson
force-pushed
the
inadvertant-disclosure
branch
from
06b7d65
to
83c1c12
Compare
Flarna
removed
the
c++
Co-authored-by: Richard Lau <rlau@redhat.com>
Co-authored-by: Richard Lau <rlau@redhat.com>
Co-authored-by: mary marchini <oss@mmarchini.me>
|
@mmarchini good call on creating the request in admin. Here is the list: nodejs/admin#573 |
Add process for handling premature disclosure of a security vulnerability in the public repos. Signed-off-by: Michael Dawson <mdawson@devrus.com> PR-URL: #36155 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Mary Marchini <oss@mmarchini.me> Reviewed-By: Rich Trott <rtrott@gmail.com>
|
Landed as 9cf2341 |
Add process for handling premature disclosure of a security vulnerability in the public repos. Signed-off-by: Michael Dawson <mdawson@devrus.com> PR-URL: #36155 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Mary Marchini <oss@mmarchini.me> Reviewed-By: Rich Trott <rtrott@gmail.com>
Add process for handling premature disclosure of a security vulnerability in the public repos. Signed-off-by: Michael Dawson <mdawson@devrus.com> PR-URL: nodejs#36155 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Mary Marchini <oss@mmarchini.me> Reviewed-By: Rich Trott <rtrott@gmail.com>
Add process for handling premature disclosure of a security vulnerability in the public repos. Signed-off-by: Michael Dawson <mdawson@devrus.com> PR-URL: #36155 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Mary Marchini <oss@mmarchini.me> Reviewed-By: Rich Trott <rtrott@gmail.com>
Checklist
make -j4 test(UNIX), orvcbuild test(Windows) passes