Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

doc: revise security-reporting text in README #23407

Closed
wants to merge 1 commit into from
Closed

doc: revise security-reporting text in README #23407

wants to merge 1 commit into from

Conversation

Trott
Copy link
Member

@Trott Trott commented Oct 10, 2018

Simplify and clarify the security-reporting text in the README. Now is
also probably a good time to ping the security triage folks to make sure
the text is still accurate.

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • documentation is changed or added
  • commit message follows commit guidelines

@Trott
doc: revise security-reporting text in README
77140db 
Simplify and clarify the security-reporting text in the README. Now is
also probably a good time to ping the security triage folks to make sure
the text is still accurate.
@nodejs-github-bot
Copy link
Collaborator

@Trott build started: https://ci.nodejs.org/blue/organizations/jenkins/node-test-pull-request-lite-pipeline/detail/node-test-pull-request-lite-pipeline/1191/pipeline

@nodejs-github-bot nodejs-github-bot added the doc Issues and PRs related to the documentations. label Oct 10, 2018
@Trott
Copy link
Member Author

Trott commented Oct 10, 2018

How do I find out who is on nodejs-79566c66a30b0312@forwarding.hackerone.com so I can ask them if the current text and these changes are accurate? I can just email the address, I suppose, but what if I wanted to audit who is on the list? @nodejs/security-wg

@vsemozhetbyt vsemozhetbyt added the security Issues and PRs related to security. label Oct 10, 2018
@lirantal
Copy link
Member

what is that nodejs forwarding address for? seems to be an alias to the HackerOne Node core program? If so, @vdeturckheim should have access to see who is participating there.

Text LGTM.
Maybe we also want to mention the H1 core program? It might make the message a bit lengthier and confuse the user as to which should he choose (report on H1 or e-mail) so I'm ok with leaving it out.

@Trott
Copy link
Member Author

Trott commented Oct 10, 2018

what is that nodejs forwarding address for?

security@nodejs.org is the address we ask people to use when reporting security vulnerabilities in Node.js core.

The alias is defined in https://github.com/nodejs/email/blob/31a4b5cd3791d4cf14c484ac07574da0647921ee/iojs.org/aliases.json#L46-L51.

That's basically all I know, though. Although I imagine I could find more digging through git history and issue trackers spread out across the org. I'm hoping someone knows and will provide the answer, though.

@lirantal
Copy link
Member

Got it. I wasn't aware that we forward that directly to HackerOne.
So indeed @vdeturckheim can quickly take a look and tell you who is invited to that program.

@vdeturckheim
Copy link
Member

I theory the list is here https://github.com/nodejs/security-wg/blob/master/processes/security_team_members.md#team-that-triages-security-reports-against-node-core but it is highly outdated. I'll PR the updated list after lunch

@vdeturckheim
Copy link
Member

So I updated the list as of nodejs/security-wg#414

@Trott
Copy link
Member Author

Trott commented Oct 10, 2018

OK, so for this change, /ping @cjihrig @indutny @jasnell @mcollina @mhdawson @MylesBorins @rvagg @vdeturckheim

@Trott Trott added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Oct 11, 2018
MylesBorins
MylesBorins approved these changes Oct 11, 2018
View reviewed changes
Copy link
Contributor

@MylesBorins MylesBorins left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

mcollina
mcollina approved these changes Oct 11, 2018
View reviewed changes
Copy link
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Trott added a commit to Trott/io.js that referenced this pull request Oct 12, 2018
@Trott
doc: revise security-reporting text in README
bcbb937 
Simplify and clarify the security-reporting text in the README. Now is
also probably a good time to ping the security triage folks to make sure
the text is still accurate.

PR-URL: nodejs#23407
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Yuta Hiroto <hello@hiroppy.me>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
@Trott
Copy link
Member Author

Trott commented Oct 12, 2018

Landed in bcbb937

@Trott Trott closed this Oct 12, 2018
Trott added a commit that referenced this pull request Oct 13, 2018
@Trott
doc: revise security-reporting text in README
4b0c0f1 
Simplify and clarify the security-reporting text in the README. Now is
also probably a good time to ping the security triage folks to make sure
the text is still accurate.

PR-URL: #23407
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Yuta Hiroto <hello@hiroppy.me>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
targos pushed a commit that referenced this pull request Oct 13, 2018
@Trott @targos
doc: revise security-reporting text in README
dd3dd5f 
Simplify and clarify the security-reporting text in the README. Now is
also probably a good time to ping the security triage folks to make sure
the text is still accurate.

PR-URL: #23407
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Yuta Hiroto <hello@hiroppy.me>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
jasnell pushed a commit that referenced this pull request Oct 17, 2018
@Trott @jasnell
doc: revise security-reporting text in README
9d6a1d6 
Simplify and clarify the security-reporting text in the README. Now is
also probably a good time to ping the security triage folks to make sure
the text is still accurate.

PR-URL: #23407
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Yuta Hiroto <hello@hiroppy.me>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins pushed a commit that referenced this pull request Oct 30, 2018
@Trott @MylesBorins
doc: revise security-reporting text in README
4e1a54f 
Simplify and clarify the security-reporting text in the README. Now is
also probably a good time to ping the security triage folks to make sure
the text is still accurate.

PR-URL: #23407
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Yuta Hiroto <hello@hiroppy.me>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
@codebytere codebytere mentioned this pull request Nov 27, 2018
Closed
rvagg pushed a commit that referenced this pull request Nov 28, 2018
@Trott @rvagg
doc: revise security-reporting text in README
7f7abdd 
Simplify and clarify the security-reporting text in the README. Now is
also probably a good time to ping the security triage folks to make sure
the text is still accurate.

PR-URL: #23407
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Yuta Hiroto <hello@hiroppy.me>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins pushed a commit that referenced this pull request Nov 29, 2018
@Trott @MylesBorins
doc: revise security-reporting text in README
d5b1368 
Simplify and clarify the security-reporting text in the README. Now is
also probably a good time to ping the security triage folks to make sure
the text is still accurate.

PR-URL: #23407
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Yuta Hiroto <hello@hiroppy.me>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
@codebytere codebytere mentioned this pull request Nov 29, 2018
Merged
@Trott Trott deleted the revise-security-text branch January 13, 2022 22:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hiroppy hiroppy hiroppy approved these changes

@addaleax addaleax addaleax approved these changes

@thefourtheye thefourtheye thefourtheye approved these changes

@MylesBorins MylesBorins MylesBorins approved these changes

@jasnell jasnell jasnell approved these changes

@mcollina mcollina mcollina approved these changes

Assignees
No one assigned
Labels
author ready PRs that have at least one approval, no pending requests for changes, and a CI started. doc Issues and PRs related to the documentations. security Issues and PRs related to security.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.