Skip to content

Commit

Permalink
doc: add extra step for reporter pre-approval
Browse files Browse the repository at this point in the history
As discussed in the #security-triagge (OpenJS channel).
To avoid insufficient CVE fixes across Security Release,
might make sense to request a reporter pre-approval.

PR-URL: #44806
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
  • Loading branch information
RafaelGSS authored and danielleadams committed Oct 5, 2022
1 parent 8daceda commit 6ae9bc8
Showing 1 changed file with 6 additions and 0 deletions.
6 changes: 6 additions & 0 deletions doc/contributing/security-release-process.md
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,8 @@ The current security stewards are documented in the main Node.js
the date in the slug so that it will move to the top of the blog list.)
* (Consider using a [Vulnerability Score System](https://www.first.org/cvss/calculator/3.1)
to identify severity of each report)
* Share the patch with the reporter when applicable.
It will increase the fix accuracy.
* [ ] pre-release: _**LINK TO PR**_
* [ ] post-release: _**LINK TO PR**_
* List vulnerabilities in order of descending severity
Expand All @@ -66,6 +68,10 @@ The current security stewards are documented in the main Node.js
* [ ] Check that all vulnerabilities are ready for release integration:
* PRs against all affected release lines or cherry-pick clean
* Approved
* (optional) Approved by the reporter
* Build and send the binary to the reporter according to its architecture
and ask for a review. This step is important to avoid insufficient fixes
between Security Releases.
* Pass `make test`
* Have CVEs
* Make sure that dependent libraries have CVEs for their issues. We should
Expand Down

0 comments on commit 6ae9bc8

Please sign in to comment.