Write first draft of responsible security reporting guidelines for OpenJS Foundation #589
Comments
|
@nodejs/security-wg any volunteers? |
|
I could devote some time for it starting next week, I think this is in line with what I wanted to propose for nodejs/package-maintenance#159. |
|
@MarcinHoppe thanks ! |
|
@MarcinHoppe I'm wondering if you think you'll still have time to get to this. |
|
Thanks for a reminder! I actually have a draft that I need to put in a PR and start the discussion. I will do my best to wrap it up by the end of this week. |
|
Very keen on helping with this one - let me know if you want any help @MarcinHoppe |
|
@SomeoneWeird amazing! I should have a PR up soon. |
|
@mhdawson @SomeoneWeird I put together a draft PR under the Package Maintenance WG and I'd love to know if you think we could re-use this somehow for the OpenJS Foundation guidelines? The PR is: nodejs/package-maintenance#277. |
|
@MarcinHoppe I think that is a good baseline. What I think we'd want to do for the OpenJS Foundation guidelines (ie scope of this issue) is to narrow down the choices to what we'd want to recommend for OpenJS projects (although maybe with options based on at-large, impact etc if that makes sense) and provide a recommend template for the policy itself. |
|
Makes sense, thanks for clarification. Honestly I'd prefer for the discussion in Node.js Package Maintenance WG to take place first, and then we can extract guidance that we arrive at there (hopefully soon-ish) and apply it to OpenJS Foundation projects. Does it sound like an acceptable course of action, or do you want to move faster with this issue? |
|
@MarcinHoppe sounds good to me. |
|
@mhdawson I feel that nodejs/package-maintenance#277 is close to landing. Would now be an appropriate time to engage with the OpenJS Foundation to draft the security reporting guidelines? |
|
@MarcinHoppe yes, I had commented on #277 since it landed. Are you able to take a first cut or do you think we need to gather info/feedback first? |
|
Yes. I need to familiarize myself a bit more with OpenJSF projects and processes first, but I would definitely like to put together an initial proposal and kick off the discussion. |
|
Ok sounds good. Let me know if you need any help or are want me to co-ordinate getting more input on the first cut. |
|
Thanks @MarcinHoppe for your work on this issue. As @mhdawson says, if we at the OpenJSF/Cross Project Council can help in any way (context, content, etc) just let us know! 🎉 |
|
I actually do have an idea where your assistance might be helpful. I will reach out on Slack. |
|
👋 Is the subject still relevant? I see that some work has been done on the OpenJS side but I have trouble understanding everything. I remember we add some Responsible Disclosure Policy here but I think it was deleted with the end of the HackerOne program: 1393717 |
|
It isn't relevant to the Node.js ecosystem program because that's been retired, but the broader security reporting guideline for projects under the OpenJS Foundation would be useful (so other projects can apply it if they would want to opt-in for being the source for disclosures). |
|
I suggest that this be closed here, but put on to the agenda for the security collaboration space @joesepi is spinning up under the OpenJS Foundation. |
|
This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made. |
Based on openjs-foundation/cross-project-council#326 we are looking for a volunteer to write the first version of the security reporting guidelines, following the https://github.com/openjs-foundation/cross-project-council/blob/master/STAGING_PROCESS.md to make the proposal.
Ideally the work would be:
The text was updated successfully, but these errors were encountered: