doc: add procedure when CVEs don't get published

This was the workaround provided by HackerOne team
nodejs · Nov 27, 2023 · 73b63f4 · 73b63f4
1 parent d42949e
commit 73b63f4
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/doc/contributing/security-release-process.md b/doc/contributing/security-release-process.md
@@ -200,6 +200,11 @@ out a better way, forward the email you receive to
   * Request publication of [H1 CVE requests][]
     * (Check that the "Version Fixed" field in the CVE is correct, and provide
       links to the release blogs in the "Public Reference" section)
+  * In case the reporter doesn't accept the disclosure follow this process:
+    * Remove the original report reference within the reference text box and
+      insert the public URL you would like to be attached to this CVE.
+    * Then uncheck the Public Disclosure on HackerOne box at the bottom of the page.
+    ![image (4)](https://github.com/RafaelGSS/node/assets/26234614/98009250-c538-4e36-895f-6d2cde4cb5c1)
 
 * [ ] PR machine-readable JSON descriptions of the vulnerabilities to the
   [core](https://github.com/nodejs/security-wg/tree/HEAD/vuln/core)