[SEC-WG] Create a private repository for the reports

[bjohansebas]

We should create a private repository that only this team and the TC have access to, in order to keep track of open reports, or to transfer a report to this repository if it was made publicly in an issue.

The workflow would be as follows:

• The report is submitted either through the GitHub Security Advisory or via email to webpack-security@openjsf.org.
• An issue is created in the new repository:
  • If the report came through the GitHub Security Advisory, it is referenced in the issue.
  • If it came via email, the email is copied into the issue, and if a potential vulnerability is confirmed, a GitHub Security Advisory is created in the appropriate repository.
• The workflow then continues as usual.

Keep in mind that Webpack has many repositories, and keeping track of open reports is quite complicated. Until GitHub implements a solution to manage this in a single place, having this repository would be useful (https://github.com/orgs/community/discussions/183774). In case GitHub implements such a solution in the future, this repository could be used to transfer any vulnerabilities that were made public.

[avivkeller]

GitHub Security Reports can have comments, so why don't we just manage them like that?

In the event that an issue was opened, we can just delete it + open an advisory

[bjohansebas]

GitHub Security Reports can have comments, so why don't we just manage them like that?ç

Yes, but the problem is knowing which reports are currently open. Right now, we have to check each repository one by one to see what reports exist, or check GitHub notifications (which isn’t really an option since I have too many, and many of us do as well).

It’s just to keep track

[avivkeller]

Yes, but the problem is knowing which reports are currently open.

What about https://github.com/orgs/[org]/security/overview

[avivkeller]

I'm +1 on a premature disclosure repository, but I think it'd be difficult to comment on reports that exist in several places (email, issue, advisory, etc)

[bjohansebas]

What about https://github.com/orgs/[org]/security/overview

That has to be enabled by the organization, and in that dashboard only Dependabot or Code Scanning reports appear, global Security Advisory reports do not show up, that’s the same problem we have in Express

[UlisesGascon]

GitHub Security Reports can have comments, so why don't we just manage them like that?

In my view, advisories are not an appropriate venue for internal decision-making or vulnerability evaluation. The original reporter is included in those threads, which can complicate internal discussion and discourage open, candid debate. This also makes it difficult to treat the space as a safe environment for the project team to align on and define the official project response.

This is essentially the same pattern many projects follow with moderation reports: discussion happens internally first, and only once there is clear consensus do we respond externally.

[avivkeller]

I see, apologies for my misunderstanding. +1 on the proposal, now that I am more informed.