Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

doc: no longer maintain a CNA structure #33639

Closed
wants to merge 1 commit into from

Conversation

sam-github
Copy link
Contributor

Node.js hasn't touched the cve-management repo since the Feb 2019
security release, we've used the HackerOne CVE allocation process.

Maintaining our status as a CNA is not zero cost, there is some routine
adminstration that is requested (see this doc for details).

As we no longer use the CVE management process, I propose removing it.
If this lands, I will go through the interactions with Mitre so that
Node.js is no longer a CNA and cleanup related resources (email aliases,
archive the cve-management repo, whatever else I find).

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • tests and/or benchmarks are included
  • documentation is changed or added
  • commit message follows commit guidelines

Node.js hasn't touched the cve-management repo since the Feb 2019
security release, we've used the HackerOne CVE allocation process.

Maintaining our status as a CNA is not zero cost, there is some routine
adminstration that is requested (see this doc for details).

As we no longer use the CVE management process, I propose removing it.
If this lands, I will go through the interactions with Mitre so that
Node.js is no longer a CNA and cleanup related resources (email aliases,
archive the cve-management repo, whatever else I find).
@sam-github sam-github requested a review from jasnell May 29, 2020 17:13
@nodejs-github-bot nodejs-github-bot added the doc Issues and PRs related to the documentations. label May 29, 2020
@sam-github
Copy link
Contributor Author

@jasnell I couldn't find the issue where I last brought this up in, but IIRC correctly you wanted to keep the CNA status around a bit longer, just in case we needed it. I'm just trying to remove as much adminstrative overhead as possible, if people still want to maintain this, that's OK, but I haven't seen it being used.

And of course, if for some reason we decide to stop using HackerOne for any kind of reason, becoming a CNA was pretty easy, it would be possible to do it again.

Jo Bazar, Lead CNA Coordinator, cna-coordinator@mitre.org , jbazar@mitre.org, is the contact. Jo last asked this February what the status was, I said we were still thinking about it, Jo said "ok, keep me informed".

@jasnell
Copy link
Member

jasnell commented May 29, 2020

At this point dropping it makes sense

@sam-github
Copy link
Contributor Author

OK, unless someone raises concerns before then, I'll do the cleanup early next week. cc: @nodejs/tsc @nodejs/security @nodejs/security-triage

@BridgeAR
Copy link
Member

Should we add that to the TSC agenda?

Copy link
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@vdeturckheim
Copy link
Member

The only potential risk I see is that technically, not being a CNA means that MITRE (and some other specific CNAs - for instance Airbus) could be free to publish CVEs regarding Node.js. I don't believe there is a high risk however as MITRE asks on maintainer's feedback when acting as a CNA.
Altogether this is very unlikely to happen. It would always be time to ask HackerOne if they are willing to claim Node.js in their scope on our behalf if any issue is met in the future.

@BridgeAR BridgeAR force-pushed the master branch 2 times, most recently from 8ae28ff to 2935f72 Compare May 31, 2020 12:18
Copy link
Member

@mhdawson mhdawson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@sam-github sam-github added the tsc-agenda Issues and PRs to discuss during the meetings of the TSC. label Jun 2, 2020
@sam-github
Copy link
Contributor Author

Conversation has moved to email with Mitre and HackerOne and TSC, trying to clarify what the impact of dropping CNA status would be, if any. Will report back here once its known.

@mhdawson
Copy link
Member

mhdawson commented Jul 2, 2020

Michael volunteer tell mitre we will no longer be our own CNA.

@mhdawson mhdawson removed the tsc-agenda Issues and PRs to discuss during the meetings of the TSC. label Jul 2, 2020
@jasnell
Copy link
Member

jasnell commented Jul 3, 2020

Based on the TSC discussion and no objections, I think we can land this while the other actions are being taken in parallel.

jasnell pushed a commit that referenced this pull request Jul 3, 2020
Node.js hasn't touched the cve-management repo since the Feb 2019
security release, we've used the HackerOne CVE allocation process.

Maintaining our status as a CNA is not zero cost, there is some routine
adminstration that is requested (see this doc for details).

As we no longer use the CVE management process, I propose removing it.
If this lands, I will go through the interactions with Mitre so that
Node.js is no longer a CNA and cleanup related resources (email aliases,
archive the cve-management repo, whatever else I find).

PR-URL: #33639
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Vladimir de Turckheim <vlad2t@hotmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
@jasnell
Copy link
Member

jasnell commented Jul 3, 2020

Landed in 3f81f2a

@jasnell jasnell closed this Jul 3, 2020
MylesBorins pushed a commit that referenced this pull request Jul 14, 2020
Node.js hasn't touched the cve-management repo since the Feb 2019
security release, we've used the HackerOne CVE allocation process.

Maintaining our status as a CNA is not zero cost, there is some routine
adminstration that is requested (see this doc for details).

As we no longer use the CVE management process, I propose removing it.
If this lands, I will go through the interactions with Mitre so that
Node.js is no longer a CNA and cleanup related resources (email aliases,
archive the cve-management repo, whatever else I find).

PR-URL: #33639
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Vladimir de Turckheim <vlad2t@hotmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
@MylesBorins MylesBorins mentioned this pull request Jul 14, 2020
MylesBorins pushed a commit that referenced this pull request Jul 16, 2020
Node.js hasn't touched the cve-management repo since the Feb 2019
security release, we've used the HackerOne CVE allocation process.

Maintaining our status as a CNA is not zero cost, there is some routine
adminstration that is requested (see this doc for details).

As we no longer use the CVE management process, I propose removing it.
If this lands, I will go through the interactions with Mitre so that
Node.js is no longer a CNA and cleanup related resources (email aliases,
archive the cve-management repo, whatever else I find).

PR-URL: #33639
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Vladimir de Turckheim <vlad2t@hotmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
addaleax pushed a commit that referenced this pull request Sep 22, 2020
Node.js hasn't touched the cve-management repo since the Feb 2019
security release, we've used the HackerOne CVE allocation process.

Maintaining our status as a CNA is not zero cost, there is some routine
adminstration that is requested (see this doc for details).

As we no longer use the CVE management process, I propose removing it.
If this lands, I will go through the interactions with Mitre so that
Node.js is no longer a CNA and cleanup related resources (email aliases,
archive the cve-management repo, whatever else I find).

PR-URL: #33639
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Vladimir de Turckheim <vlad2t@hotmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
@codebytere codebytere mentioned this pull request Sep 28, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
doc Issues and PRs related to the documentations.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants