-
Notifications
You must be signed in to change notification settings - Fork 29.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Inadvertent disclosure #36155
Inadvertent disclosure #36155
Conversation
Review requested:
|
Are the n-api changes here intentional? |
doc/guides/collaborator-guide.md
Outdated
|
||
* Ask the originator to submit a report through Hacker one as outlined in | ||
[SECURITY.md][security reporting]. | ||
* Move the issue to the private repo called `premature-disclosures` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Link to the repository? Or should we keep it without a link on purpose?
Also, I assume it will be a repo on nodejs-private?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've not created the repo yet, but a link makes sense. It should only be accessible to those who have access to private repos within the org
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mmarchini added the link in the first reference, not sure if we need to make all references a link or not.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, I assume it will be a repo on nodejs-private?
No, its a private repo in the nodejs org as I don't believe we can move issues across organizations.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see. The downside is that folks who have access to private repos in this org but not on the repo we usually use for security releases will have access to the issue. It's probably fine though, it only means some folks in moderation and CommComm will have access to the issue even when they don't have access to security release discussions (which is still better than keeping the issue public).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add process for handling premature disclosure of a security vulnerability in the public repos. Signed-off-by: Michael Dawson <mdawson@devrus.com>
06b7d65
to
83c1c12
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
Co-authored-by: Richard Lau <rlau@redhat.com>
Co-authored-by: Richard Lau <rlau@redhat.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm. I think we need to open a request on nodejs/admin to create the repository, correct?
Co-authored-by: mary marchini <oss@mmarchini.me>
@mmarchini good call on creating the request in admin. Here is the list: nodejs/admin#573 |
Add process for handling premature disclosure of a security vulnerability in the public repos. Signed-off-by: Michael Dawson <mdawson@devrus.com> PR-URL: #36155 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Mary Marchini <oss@mmarchini.me> Reviewed-By: Rich Trott <rtrott@gmail.com>
Landed as 9cf2341 |
Add process for handling premature disclosure of a security vulnerability in the public repos. Signed-off-by: Michael Dawson <mdawson@devrus.com> PR-URL: #36155 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Mary Marchini <oss@mmarchini.me> Reviewed-By: Rich Trott <rtrott@gmail.com>
Add process for handling premature disclosure of a security vulnerability in the public repos. Signed-off-by: Michael Dawson <mdawson@devrus.com> PR-URL: nodejs#36155 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Mary Marchini <oss@mmarchini.me> Reviewed-By: Rich Trott <rtrott@gmail.com>
Add process for handling premature disclosure of a security vulnerability in the public repos. Signed-off-by: Michael Dawson <mdawson@devrus.com> PR-URL: #36155 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Mary Marchini <oss@mmarchini.me> Reviewed-By: Rich Trott <rtrott@gmail.com>
Checklist
make -j4 test
(UNIX), orvcbuild test
(Windows) passes