Skip to content

Commit

Permalink
doc: add procedure when CVEs don't get published
Browse files Browse the repository at this point in the history
This was the workaround provided by HackerOne team

PR-URL: #50945
Refs: nodejs/security-wg#1058
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
  • Loading branch information
RafaelGSS authored and richardlau committed Mar 25, 2024
1 parent 8a08275 commit 3ff00e1
Showing 1 changed file with 6 additions and 0 deletions.
6 changes: 6 additions & 0 deletions doc/contributing/security-release-process.md
Original file line number Diff line number Diff line change
Expand Up @@ -200,6 +200,12 @@ out a better way, forward the email you receive to
* Request publication of [H1 CVE requests][]
* (Check that the "Version Fixed" field in the CVE is correct, and provide
links to the release blogs in the "Public Reference" section)
* In case the reporter doesn't accept the disclosure follow this process:
* Remove the original report reference within the reference text box and
insert the public URL you would like to be attached to this CVE.
* Then uncheck the Public Disclosure on HackerOne box at the bottom of the
page.
![screenshot of HackerOne CVE form](https://github.com/nodejs/node/assets/26234614/e22e4f33-7948-4dd2-952e-2f9166f5568d)

* [ ] PR machine-readable JSON descriptions of the vulnerabilities to the
[core](https://github.com/nodejs/security-wg/tree/HEAD/vuln/core)
Expand Down

0 comments on commit 3ff00e1

Please sign in to comment.