Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Disclosure Policy #296

Closed
jasnell opened this issue Jul 13, 2017 · 8 comments
Closed

Security Disclosure Policy #296

jasnell opened this issue Jul 13, 2017 · 8 comments

Comments

@jasnell
Copy link
Member

jasnell commented Jul 13, 2017

@nodejs/tsc @nodejs/ctc ...

One need we have had for quite some time is a formal early disclosure policy for core and ecosystem vulnerabilities. Currently, our process is rather undefined, including the process for who gets admitted to the @nodejs/security group. What is especially undefined are any of the policies around how and to whom we issue early disclosures for security related issues.

One concern that has been brought to my attention by several members of the community is that under our current processes, some commercial organizations have privileged access to security vulnerability information based solely on the fact that their employees are part of the @nodejs/security team, but other organizations who have employees who actively contribute to core do not have an equal opportunity. We've never really been clear on what the expectations are for members of the @nodejs/security team to keep security details embargoed. This ends up creating a bit of an unfair advantage for certain organizations.

It's past time that we need a documented and enforceable ethical disclosure policy. I would argue that we also should have a reasonable early disclosure process that commercial entities may apply for. Obviously there are details to work out here, but I wanted to get the conversation started.
@jasnell jasnell closed this as completed Sep 14, 2017
@jasnell jasnell reopened this Sep 15, 2017
@jasnell
Copy link
Member Author

jasnell commented Sep 15, 2017

Ping @nodejs/tsc ... thoughts on this?

(I accidentally closed this)

@thefourtheye
Copy link
Contributor

thefourtheye commented Sep 15, 2017
edited
Loading

@jasnell Can the title be renamed, as we already have a security disclosure policy?

@MylesBorins
Copy link
Contributor

to the concern raised by community members, AFAIK members of security are not supposed to disclose information under embargo to their employers, that is at least the rules I've been following.

I'd be very interested in how other projects handle ethical disclosure, and potentially early disclosure to companies.

@mhdawson
Copy link
Member

I think we just need a PR for the text of the policy.

@mhdawson
Copy link
Member

The text in this PR probably addressed the original issue: nodejs/security-wg#56

@mhdawson
Copy link
Member

mhdawson commented Nov 3, 2017

Believe this docs the expectations https://github.com/nodejs/security-wg/blob/master/processes/security_team_members.md. @jasnell can this issue be closed ?

@jasnell
Copy link
Member Author

jasnell commented Nov 3, 2017

No, I'd prefer to keep this open until nodejs/security-wg#58 is resolved.

@jasnell
Copy link
Member Author

jasnell commented Feb 17, 2018

This is being picked up by security-wg. Closing.

@jasnell jasnell closed this as completed Feb 17, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jasnell @MylesBorins @thefourtheye @mhdawson