-
Notifications
You must be signed in to change notification settings - Fork 29.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
doc: revise security-reporting text in README #23407
Conversation
Simplify and clarify the security-reporting text in the README. Now is also probably a good time to ping the security triage folks to make sure the text is still accurate.
How do I find out who is on [email protected] so I can ask them if the current text and these changes are accurate? I can just email the address, I suppose, but what if I wanted to audit who is on the list? @nodejs/security-wg |
what is that nodejs forwarding address for? seems to be an alias to the HackerOne Node core program? If so, @vdeturckheim should have access to see who is participating there. Text LGTM. |
[email protected] is the address we ask people to use when reporting security vulnerabilities in Node.js core. The alias is defined in https://github.com/nodejs/email/blob/31a4b5cd3791d4cf14c484ac07574da0647921ee/iojs.org/aliases.json#L46-L51. That's basically all I know, though. Although I imagine I could find more digging through git history and issue trackers spread out across the org. I'm hoping someone knows and will provide the answer, though. |
Got it. I wasn't aware that we forward that directly to HackerOne. |
I theory the list is here https://github.com/nodejs/security-wg/blob/master/processes/security_team_members.md#team-that-triages-security-reports-against-node-core but it is highly outdated. I'll PR the updated list after lunch |
So I updated the list as of nodejs/security-wg#414 |
OK, so for this change, /ping @cjihrig @indutny @jasnell @mcollina @mhdawson @MylesBorins @rvagg @vdeturckheim |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Simplify and clarify the security-reporting text in the README. Now is also probably a good time to ping the security triage folks to make sure the text is still accurate. PR-URL: nodejs#23407 Reviewed-By: Sakthipriyan Vairamani <[email protected]> Reviewed-By: Yuta Hiroto <[email protected]> Reviewed-By: Myles Borins <[email protected]> Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: James M Snell <[email protected]>
Landed in bcbb937 |
Simplify and clarify the security-reporting text in the README. Now is also probably a good time to ping the security triage folks to make sure the text is still accurate. PR-URL: #23407 Reviewed-By: Sakthipriyan Vairamani <[email protected]> Reviewed-By: Yuta Hiroto <[email protected]> Reviewed-By: Myles Borins <[email protected]> Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: James M Snell <[email protected]>
Simplify and clarify the security-reporting text in the README. Now is also probably a good time to ping the security triage folks to make sure the text is still accurate. PR-URL: #23407 Reviewed-By: Sakthipriyan Vairamani <[email protected]> Reviewed-By: Yuta Hiroto <[email protected]> Reviewed-By: Myles Borins <[email protected]> Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: James M Snell <[email protected]>
Simplify and clarify the security-reporting text in the README. Now is also probably a good time to ping the security triage folks to make sure the text is still accurate. PR-URL: #23407 Reviewed-By: Sakthipriyan Vairamani <[email protected]> Reviewed-By: Yuta Hiroto <[email protected]> Reviewed-By: Myles Borins <[email protected]> Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: James M Snell <[email protected]>
Simplify and clarify the security-reporting text in the README. Now is also probably a good time to ping the security triage folks to make sure the text is still accurate. PR-URL: #23407 Reviewed-By: Sakthipriyan Vairamani <[email protected]> Reviewed-By: Yuta Hiroto <[email protected]> Reviewed-By: Myles Borins <[email protected]> Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: James M Snell <[email protected]>
Simplify and clarify the security-reporting text in the README. Now is also probably a good time to ping the security triage folks to make sure the text is still accurate. PR-URL: #23407 Reviewed-By: Sakthipriyan Vairamani <[email protected]> Reviewed-By: Yuta Hiroto <[email protected]> Reviewed-By: Myles Borins <[email protected]> Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: James M Snell <[email protected]>
Simplify and clarify the security-reporting text in the README. Now is also probably a good time to ping the security triage folks to make sure the text is still accurate. PR-URL: #23407 Reviewed-By: Sakthipriyan Vairamani <[email protected]> Reviewed-By: Yuta Hiroto <[email protected]> Reviewed-By: Myles Borins <[email protected]> Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: James M Snell <[email protected]>
Simplify and clarify the security-reporting text in the README. Now is
also probably a good time to ping the security triage folks to make sure
the text is still accurate.
Checklist
make -j4 test
(UNIX), orvcbuild test
(Windows) passes