From b7036f20282ac5582fd14a3c07c36b81bfce3ed9 Mon Sep 17 00:00:00 2001 From: Rafael Gonzaga Date: Wed, 29 Nov 2023 14:03:59 -0300 Subject: [PATCH] doc: add procedure when CVEs don't get published MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This was the workaround provided by HackerOne team PR-URL: https://github.com/nodejs/node/pull/50945 Refs: https://github.com/nodejs/security-wg/issues/1058 Reviewed-By: Benjamin Gruenbaum Reviewed-By: Michael Dawson Reviewed-By: Tobias Nießen --- doc/contributing/security-release-process.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/doc/contributing/security-release-process.md b/doc/contributing/security-release-process.md index 4cd9835a953e94..fa94d25e6fc176 100644 --- a/doc/contributing/security-release-process.md +++ b/doc/contributing/security-release-process.md @@ -200,6 +200,12 @@ out a better way, forward the email you receive to * Request publication of [H1 CVE requests][] * (Check that the "Version Fixed" field in the CVE is correct, and provide links to the release blogs in the "Public Reference" section) + * In case the reporter doesn't accept the disclosure follow this process: + * Remove the original report reference within the reference text box and + insert the public URL you would like to be attached to this CVE. + * Then uncheck the Public Disclosure on HackerOne box at the bottom of the + page. + ![screenshot of HackerOne CVE form](https://github.com/nodejs/node/assets/26234614/e22e4f33-7948-4dd2-952e-2f9166f5568d) * [ ] PR machine-readable JSON descriptions of the vulnerabilities to the [core](https://github.com/nodejs/security-wg/tree/HEAD/vuln/core)