Express Security Bugs reports #139
Comments
What about it is outdated? We have gotten reports recently, so I don't think anyone has had trouble making reports. The link is to report non-Express-related issues, and PR can be made to update the link, but it is unrelated to making these types of reports... |
|
Unless there is something missing here, I'm going to assume this is a duplicate of #110 , and any issues with the specific Security.md file should ideally be filed on the repo that file is in (though a PR is even better!). |
|
FWIW, the Express projects has specifically opted out of the Node.js hackone project, due to a few issues in the past: (1) very long triage turn arounds and (2) public disclosures that was on our projects without even pulling us into the conversation. We have not had any issues triaging or responding to the security issues with our current process, so have not seen any need to opt into hackerone at this time. |
|
P.S. @UlisesGascon that user never actually followed up on the issue, if you were curious. I did look into the issue since it was reported as as far as I can tell (barring the user actually making a report and providing a PoC) there is not issue as far as I can tell, which may have been why the user never followed up (it has happened before). Here is the part the user wrote that I removed:
|
|
Great input @dougwilson! Sorry I didn't properly commented my ideas while I opened the issue. My idea was to suggest to include a reference to the bug bounty program and also fix the broken link to I was not aware that Express opted out for the bounty program but seems clear now with your feedback. The problem with a library like Express is that there are to many options that the end user (developer) can do in order to make the project more or less secure, but I agree that seems super hard to triage and be envolved in all the discussions where Express can be related, just as you show in the PoC provided by the original reporter. Regarding the broken link, seems like Should we use a different link @dougwilson then? |
|
Yea, the nodesecurity project was folded into npmjs, and I guess they just get a whole-domain redirect to the npmjs.com homepage. It doesn't seem like npmjs.com provides a general security report form, instead the expectation is to search for the package, open the package's page, and click on "Report a vulnerability" there. The idea of that was really to direct folks where to go for non-Express things. Maybe we just remove the link altogether and just say "report to the project" or something? Probably worth an issue/PR in the repo with the Security.md file under question for further discussion around it, but that is my initial thoughts on fixing the broken link. As far as the opt-out goes, the hackone (https://hackerone.com/nodejs-ecosystem?type=team) just lists us as being ineligible for bounties as their method for marking that from what I understand. |
|
👋 This is Marcin from Node.js Ecosystem Security WG. I just wanted to clarify one thing really quickly:
Not quite. The Node.js Ecosystem program on HackerOne is open and everyone can submit a report against any package (we are working on fixing that). We can't really stop people from reporting issues through HackerOne, but we can ask them to report them directly to Express according to their security policy if they do. |
Hi team!
In https://github.com/expressjs/session/issues/761 there was a potential security issue reported. The management of that was right, but we recommend to the reporter to follow up the instructions in Security.md.
As far I know the documentation is outdated and the link is broken. I assume that Express is in scope for the Nodejs Security WG, as far I see in the documentation. But maybe @lirantal or @MarcinHoppe can provide more details so I can submit a PR to update the
Security.md, as well I can help to provide support to triage security bugs for Express if needed.The text was updated successfully, but these errors were encountered: