Responsible security disclosures

[tobie]

Is there a standard way for OpenJSF projects to accept responsible security disclosures or is the expectation that projects set up their own solution?

Node.js has its own policy, for example. I don't know about other projects.

I feel like it would be nice if this was something the foundation handled for projects (even if the project would be the one responsible for dealing with the disclosure itself).

[wesleytodd]

Related: nodejs/package-maintenance#159

Our Node WG has been having some discussions around this. If the foundation was going to have something it should align with what the Maintenance WG and Security WG recommend.

[MylesBorins]

We've definitely discussed trying to replicate some of the work that has been done in core... especially around managing CNA and CVE stuff. With githubs new announcement though perhaps we should look at working with them... as the management of the CNA is a non-trivial amount of work.

…

On Wed, Sep 18, 2019 at 6:50 PM Wes Todd ***@***.***> wrote: Related: nodejs/package-maintenance#159 <nodejs/package-maintenance#159> Our Node WG has been having some discussions around this. If the foundation was going to have something it should align with what the Maintenance WG and Security WG recommend. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#326?email_source=notifications&email_token=AADZYVY57TQLI3PW5G4Z463QKKWBVA5CNFSM4IYEPJW2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7BVVNQ#issuecomment-532896438>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AADZYV3A5SIGWKN6UF32XR3QKKWBVANCNFSM4IYEPJWQ> .

[mhdawson]

The Node.js security working group also does work in this area, and HackerOne who we work with handle the CVEs for the ecosytem reports. I've pinged that team through nodejs/security-wg#578

[mhdawson]

There have been discussions as to wether part of the Node.js security-wg which focuses on ecosystem triage should move up to the OpenJS level. This is probably a good time to continue that discussion. @sam-github

[sam-github]

nodejs/security-wg#579 relates to this slightly, in that if the responsibilities of the nodejs/security-wg become more clearly and singularly focussed on the Ecosystem outside Node.js, they might be a candidate to move up a level.

Also, note that even though many, perhaps most, of the vulns in the DB are reported against "Node.js" packages, a number of those packages can also run in the browser, and there are at least a handful (or were, last time I surveyed them a couple years ago) that are npm package that run ONLY in the browser, so the WG is already in some sense collecting and triaging non-Node.js vulnerabilities.

[MarcinHoppe]

I brought this up some weeks ago when triaging a report of a vulnerability in a React component: clearly only intended to work in the browser but still distributed via the npm.

I would definitely be up for discussion about taking our work in the Node.js ecosystem triage team to the OpenJS foundation level.

[mhdawson]

Created nodejs/security-wg#589