add third party vuln process #57
Conversation
| @@ -0,0 +1,86 @@ | |||
| This document describes the management of vulnerabilities within the Node.js | |||
| ecosystem. Vulneabilities in Node.js core are out of this scope. | |||
There was a problem hiding this comment.
Vulneabilities -> Vulnerabilities
| # Definitions | ||
|
|
||
| * package: in this document, a package is a module available widely to use | ||
| with Node.js.Most modules are hosted on npmjs.org repository. |
There was a problem hiding this comment.
Space after Node.js. Also add "the" before npmjs.org.
|
|
||
| # Process | ||
|
|
||
| Individuals who found potential vulnerabilities in a package are invited |
| # Process | ||
|
|
||
| Individuals who found potential vulnerabilities in a package are invited | ||
| to fill a vulnerability report on the dedicated HackerOne organization: |
|
|
||
| [https://hackerone.com/nodesecurity](https://hackerone.com/nodesecurity) | ||
|
|
||
| When a potential vulnerability is reported, the following actions are taken |
|
|
||
| **Delay:** 48 hours | ||
|
|
||
| Within 72 hours, a member of the triage team provides a first answer to the |
There was a problem hiding this comment.
Is the turnaround time 48 or 72 hours?
| individual who submitted the potential vulnerability. The possible responses | ||
| can be: | ||
|
|
||
| * acceptation: what was reported is considered as a new vulnerability |
| ## Case of vulnerabilities found outside this process | ||
|
|
||
| Vulnerabilities found and fixed outside this process should be added into | ||
| the vulnerability base. This can be done by anyon through a Pull Request on |
There was a problem hiding this comment.
Thanks for the review!
| @@ -0,0 +1,86 @@ | |||
| This document describes the management of vulnerabilities within the Node.js | |||
| ecosystem. Vulnerabilities in Node.js core are out of this scope. | |||
There was a problem hiding this comment.
Saying that, we will end up collecting vulnerabilities for Front-end packages.
There was a problem hiding this comment.
Perhaps link here to https://nodejs.org/en/security/ or something like that?
There was a problem hiding this comment.
the nsp database includes a couple front-end packages, as does snyk's database. There are lots of FE code distributed via npmjs.org. Node "app" developers (or users of those apps when they are insecure) don't necessarily distinguish between a "vuln in js code evaluated by node" and "vuln in js code served by node to a FE, and evaluated by a web browser". We need to be really clear, though, on what the scope is if the DB managed by the Node Foundation. Is it packages in npmjs.org? Or, is it node javascript packages (no matter where accessed from)? Both?
There was a problem hiding this comment.
We historically considered anything within npm to be in scope for what to include in our ecosystem initiative.
| the vulnerability base. This can be done by anyone through a Pull Request on | ||
| this repository. | ||
|
|
||
| # The triage team |
There was a problem hiding this comment.
Need to add a part discussing NDA
There was a problem hiding this comment.
Once #56 lands, the team membership and NDA can be shared.
| @@ -0,0 +1,86 @@ | |||
| This document describes the management of vulnerabilities within the Node.js | |||
| ecosystem. Vulnerabilities in Node.js core are out of this scope. | |||
There was a problem hiding this comment.
Perhaps link here to https://nodejs.org/en/security/ or something like that?
| **Delay:** 45 days | ||
|
|
||
| When a vulnerability is confirmed, a member of the triage is | ||
| designated as follow up on this topic. |
There was a problem hiding this comment.
designated to follow up is clearer I think.
|
|
||
| Within 45 days after the triage date, the vulnerability must be made public. | ||
|
|
||
| If a patch is being developed by the package maintainer, a delay of 30 days |
There was a problem hiding this comment.
being developed -> being actively developed
|
|
||
| Within HackerOne, this is handled through a "public disclosure request". | ||
|
|
||
| ## Case of vulnerabilities found outside this process |
There was a problem hiding this comment.
Case of vulnerabilities -> Vulnerabilities
|
|
||
| ## Triage | ||
|
|
||
| **Who:** The triage team |
There was a problem hiding this comment.
should this list who the members of the triage team are? I assume this is made up of the current recipients of the security@ messages?
There was a problem hiding this comment.
Or is this specifically only for module vulnerabilities?
There was a problem hiding this comment.
@jasnell This is a separate group for triage of non-core vulnerabilities.
There was a problem hiding this comment.
once #56 lands, this PR can also include addition of a Team to the doc describing privacy policy, because the same privacy policy should apply to thirdparty vulns as to core (I think)
|
|
||
| Individuals who find potential vulnerabilities in a package are invited | ||
| to complete a vulnerability report on the dedicated HackerOne organization: | ||
|
|
There was a problem hiding this comment.
It should also be possible for a vulnerability to be reported via email (which can be forwarded to HackerOne and will auto-create a vuln report).
There was a problem hiding this comment.
I have an issue on setting up this on H1 side right now. I have pinged H1 on that for assistance.
|
|
||
| ## Triage | ||
|
|
||
| **Who:** The triage team |
There was a problem hiding this comment.
once #56 lands, this PR can also include addition of a Team to the doc describing privacy policy, because the same privacy policy should apply to thirdparty vulns as to core (I think)
|
|
||
| Within 45 days after the triage date, the vulnerability must be made public. | ||
|
|
||
| If a patch is being developed by the package maintainer, a delay of 30 days |
There was a problem hiding this comment.
do we have to be so specific about the 30 days? Can we make it more wish-washy, something like "by majority agreement and sole discretion of the triage team, publicization may be delayed. This will only be done if there is some clear proposal for a timeline for publicization, and justification for the delay."? This basically allows the triage team to "do the right thing" under unusual situations, rather than being bound to overly strict rules.
| the vulnerability base. This can be done by anyone through a Pull Request on | ||
| this repository. | ||
|
|
||
| # The triage team |
There was a problem hiding this comment.
Once #56 lands, the team membership and NDA can be shared.
|
|
||
| # Definitions | ||
|
|
||
| * package: in this document, a package is a module available widely to use |
There was a problem hiding this comment.
I'd suggest
a package available for use with Node.js and hosted on the npmjs.org repository.
| * Acceptance: what was reported is considered as a new vulnerability | ||
| * Rejection: what was reported is not considered as a new vulnerability | ||
| * Need more information: the triage team needs more information in order to | ||
| evaluate what was reported. |
There was a problem hiding this comment.
Need to be lined up with Need for proper markdown formatting.
|
|
||
| **Delay:** 45 days | ||
|
|
||
| When a vulnerability is confirmed, a member of the triage is |
| **Delay:** 45 days | ||
|
|
||
| When a vulnerability is confirmed, a member of the triage is | ||
| designated to follow up on this topic. |
| ## Vulnerabilities found outside this process | ||
|
|
||
| Vulnerabilities found and fixed outside this process should be added into | ||
| the vulnerability base. This can be done by anyone through a Pull Request on |
|
|
||
| # The triage team | ||
|
|
||
| The triage team is composed of 7 to 10 members of the security working group. |
There was a problem hiding this comment.
Do we need a number here ? May be better to just leave it up to the security wg team to decide when people volunteer.
There was a problem hiding this comment.
Some stated floor for the minimal number has value to me that at least expresses the intent to ensure that this is not a role that can be distilled down to an individual or lesser number who feel they can/should take it on alone. Not sure how binding this is as a process doc vs. a charter for the group which is where that would ideally be documented, but I don't think that exists atm.
There was a problem hiding this comment.
A minimum number would not be a concern for me. I was more worried about when we hit X and then somebody volunteers.... Probably a good problem to have. Maybe we say something like composed of Y or more members ..
|
Overall looks good to me. We just need to fill in the email address and ensure the hackerone org is active before landing. |
|
We can now set up email alias to our H1 org. PR has been opened in the email repo nodejs/email#75 |
|
This should be good to merge now, does anyone wants to review one last time? |
|
I see its passed on smartos15 and smartos16, so maybe its just that the versions of Node.js that we are testing don't run on smartos14 and we should just remove that. @cjihrig what is the oldest version of Node.js that runs on smartos 14 ? |
|
@mhdawson wrong issue? |
|
@cjihrig yes, will move to right one |
Workflow as decided in #54