From 83c1c12a1033c9a272a20cb770d528c3d47642b5 Mon Sep 17 00:00:00 2001 From: Michael Dawson Date: Tue, 17 Nov 2020 17:08:46 -0500 Subject: [PATCH 01/10] doc: add process for handling premature disclosure Add process for handling premature disclosure of a security vulnerability in the public repos. Signed-off-by: Michael Dawson --- doc/guides/collaborator-guide.md | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/doc/guides/collaborator-guide.md b/doc/guides/collaborator-guide.md index 8b40efaa5543d6..96248c9c5f2dd5 100644 --- a/doc/guides/collaborator-guide.md +++ b/doc/guides/collaborator-guide.md @@ -7,6 +7,7 @@ * [Closing issues and pull requests](#closing-issues-and-pull-requests) * [Author ready pull requests](#author-ready-pull-requests) * [Handling own pull requests](#handling-own-pull-requests) + * [Security issues](#managing-security-issues) * [Accepting modifications](#accepting-modifications) * [Code reviews](#code-reviews) * [Consensus seeking](#consensus-seeking) @@ -87,6 +88,33 @@ to land but is [author ready](#author-ready-pull-requests), add the `author ready` label. If you wish to land the pull request yourself, use the "assign yourself" link to self-assign it. +### Managing security issues + +Security issues should ideally be reported through the processes outlined in +[SECURITY.md][security reporting]. This allows the collaborators to +appropriately triage the report and address vulnerabilities in a planned +security release. If an issue is opened in the public repo +which describes a security issue, or if an issue is later identified to be +describing a security issue, take the following steps: + +* Ask the originator to submit a report through Hacker one as outlined in + [SECURITY.md][security reporting]. +* Move the issue to the private repo called `premature-disclosures` +* For any related pull requests create an associated issue in the + `premature-disclosures` repo and add a copy of the patch for the + pull request, and screenshots of discussion on the PR to the issue. +* Open a ticket with GitHub asking that the PRs be deleted through + [GitHub suppport](https://support.github.com/contact) + using Node.js(team) as the account organization. +* Open a new issue in the repository in which the issue was originally + reported with a brief FYI to the originator. `FYI @xxxx we asked github + to delete your PR while we work on releases in private.` with the title + `FYI - PR deleted #YYYY`. +* Email `tsc@iojs.org` with the link to the issues in the + `premature-disclosures` repo so that the TSC is aware that they + may need to expidite handling of the issue due to premature + disclosure. + ## Accepting modifications Contributors propose modifications to Node.js using GitHub pull requests. This @@ -792,3 +820,4 @@ If you cannot find who to cc for a file, `git shortlog -n -s ` can help. [node-core-utils-credentials]: https://github.com/nodejs/node-core-utils#setting-up-credentials [node-core-utils-issues]: https://github.com/nodejs/node-core-utils/issues [unreliable tests]: https://github.com/nodejs/node/issues?q=is%3Aopen+is%3Aissue+label%3A%22CI+%2F+flaky+test%22 +[security reporting]: https://github.com/nodejs/SECURITY.md From b11e4d5ab5e7ebde163ce67dc1c9dbcd2290164a Mon Sep 17 00:00:00 2001 From: Michael Dawson Date: Wed, 18 Nov 2020 13:36:12 -0500 Subject: [PATCH 02/10] Update doc/guides/collaborator-guide.md --- doc/guides/collaborator-guide.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/doc/guides/collaborator-guide.md b/doc/guides/collaborator-guide.md index 96248c9c5f2dd5..613abd8c134088 100644 --- a/doc/guides/collaborator-guide.md +++ b/doc/guides/collaborator-guide.md @@ -99,7 +99,8 @@ describing a security issue, take the following steps: * Ask the originator to submit a report through Hacker one as outlined in [SECURITY.md][security reporting]. -* Move the issue to the private repo called `premature-disclosures` +* Move the issue to the private repo called +(premature-disclosures)[https://github.com/nodejs/premature-disclosures). * For any related pull requests create an associated issue in the `premature-disclosures` repo and add a copy of the patch for the pull request, and screenshots of discussion on the PR to the issue. From 2d2004d15abfbf5d57e3ce966be0bdc5dd642ee8 Mon Sep 17 00:00:00 2001 From: Michael Dawson Date: Wed, 18 Nov 2020 13:38:09 -0500 Subject: [PATCH 03/10] fixup --- doc/guides/collaborator-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/guides/collaborator-guide.md b/doc/guides/collaborator-guide.md index 613abd8c134088..baec9dd9b38aff 100644 --- a/doc/guides/collaborator-guide.md +++ b/doc/guides/collaborator-guide.md @@ -100,7 +100,7 @@ describing a security issue, take the following steps: * Ask the originator to submit a report through Hacker one as outlined in [SECURITY.md][security reporting]. * Move the issue to the private repo called -(premature-disclosures)[https://github.com/nodejs/premature-disclosures). +[premature-disclosures](https://github.com/nodejs/premature-disclosures). * For any related pull requests create an associated issue in the `premature-disclosures` repo and add a copy of the patch for the pull request, and screenshots of discussion on the PR to the issue. From 04c0058174b81dce44990d5f979a3e36db7e033b Mon Sep 17 00:00:00 2001 From: Michael Dawson Date: Wed, 18 Nov 2020 16:09:17 -0500 Subject: [PATCH 04/10] squash: fixup --- doc/guides/collaborator-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/guides/collaborator-guide.md b/doc/guides/collaborator-guide.md index baec9dd9b38aff..ca5b245e311186 100644 --- a/doc/guides/collaborator-guide.md +++ b/doc/guides/collaborator-guide.md @@ -99,7 +99,7 @@ describing a security issue, take the following steps: * Ask the originator to submit a report through Hacker one as outlined in [SECURITY.md][security reporting]. -* Move the issue to the private repo called +* Move the issue to the private repo called [premature-disclosures](https://github.com/nodejs/premature-disclosures). * For any related pull requests create an associated issue in the `premature-disclosures` repo and add a copy of the patch for the From 0e2c90c6db068d2d1599fabb97000fe7c0886adc Mon Sep 17 00:00:00 2001 From: Michael Dawson Date: Thu, 19 Nov 2020 09:23:19 -0500 Subject: [PATCH 05/10] fixup --- doc/guides/collaborator-guide.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/doc/guides/collaborator-guide.md b/doc/guides/collaborator-guide.md index ca5b245e311186..d468ee491809c8 100644 --- a/doc/guides/collaborator-guide.md +++ b/doc/guides/collaborator-guide.md @@ -820,5 +820,6 @@ If you cannot find who to cc for a file, `git shortlog -n -s ` can help. [git-username]: https://help.github.com/articles/setting-your-username-in-git/ [node-core-utils-credentials]: https://github.com/nodejs/node-core-utils#setting-up-credentials [node-core-utils-issues]: https://github.com/nodejs/node-core-utils/issues -[unreliable tests]: https://github.com/nodejs/node/issues?q=is%3Aopen+is%3Aissue+label%3A%22CI+%2F+flaky+test%22 [security reporting]: https://github.com/nodejs/SECURITY.md +[unreliable tests]: https://github.com/nodejs/node/issues?q=is%3Aopen+is%3Aissue+label%3A%22CI+%2F+flaky+test%22 + From 9a85ac9037563ea094e7cb3ad8c0eb9123e48b0a Mon Sep 17 00:00:00 2001 From: Michael Dawson Date: Thu, 19 Nov 2020 09:45:55 -0500 Subject: [PATCH 06/10] fixup --- doc/guides/collaborator-guide.md | 1 - 1 file changed, 1 deletion(-) diff --git a/doc/guides/collaborator-guide.md b/doc/guides/collaborator-guide.md index d468ee491809c8..1f6233c618d543 100644 --- a/doc/guides/collaborator-guide.md +++ b/doc/guides/collaborator-guide.md @@ -822,4 +822,3 @@ If you cannot find who to cc for a file, `git shortlog -n -s ` can help. [node-core-utils-issues]: https://github.com/nodejs/node-core-utils/issues [security reporting]: https://github.com/nodejs/SECURITY.md [unreliable tests]: https://github.com/nodejs/node/issues?q=is%3Aopen+is%3Aissue+label%3A%22CI+%2F+flaky+test%22 - From 9bc524732a9f1cd9e600bdf6cee35070f6d06be3 Mon Sep 17 00:00:00 2001 From: Michael Dawson Date: Fri, 20 Nov 2020 10:50:20 -0500 Subject: [PATCH 07/10] Update doc/guides/collaborator-guide.md Co-authored-by: Richard Lau --- doc/guides/collaborator-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/guides/collaborator-guide.md b/doc/guides/collaborator-guide.md index 1f6233c618d543..073cf8559549aa 100644 --- a/doc/guides/collaborator-guide.md +++ b/doc/guides/collaborator-guide.md @@ -820,5 +820,5 @@ If you cannot find who to cc for a file, `git shortlog -n -s ` can help. [git-username]: https://help.github.com/articles/setting-your-username-in-git/ [node-core-utils-credentials]: https://github.com/nodejs/node-core-utils#setting-up-credentials [node-core-utils-issues]: https://github.com/nodejs/node-core-utils/issues -[security reporting]: https://github.com/nodejs/SECURITY.md +[security reporting]: ../../SECURITY.md [unreliable tests]: https://github.com/nodejs/node/issues?q=is%3Aopen+is%3Aissue+label%3A%22CI+%2F+flaky+test%22 From c97676c6d81a4136c5e26b98e30b02d244d3867c Mon Sep 17 00:00:00 2001 From: Michael Dawson Date: Fri, 20 Nov 2020 10:53:09 -0500 Subject: [PATCH 08/10] Update doc/guides/collaborator-guide.md Co-authored-by: Richard Lau --- doc/guides/collaborator-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/guides/collaborator-guide.md b/doc/guides/collaborator-guide.md index 073cf8559549aa..bab5901c3e0453 100644 --- a/doc/guides/collaborator-guide.md +++ b/doc/guides/collaborator-guide.md @@ -113,7 +113,7 @@ describing a security issue, take the following steps: `FYI - PR deleted #YYYY`. * Email `tsc@iojs.org` with the link to the issues in the `premature-disclosures` repo so that the TSC is aware that they - may need to expidite handling of the issue due to premature + may need to expedite handling of the issue due to premature disclosure. ## Accepting modifications From 7e4de86fcba30f326363c445f1a8bf2e342c8e70 Mon Sep 17 00:00:00 2001 From: Michael Dawson Date: Fri, 20 Nov 2020 10:55:58 -0500 Subject: [PATCH 09/10] fixup[ --- doc/guides/collaborator-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/guides/collaborator-guide.md b/doc/guides/collaborator-guide.md index bab5901c3e0453..86d22941758dbd 100644 --- a/doc/guides/collaborator-guide.md +++ b/doc/guides/collaborator-guide.md @@ -820,5 +820,5 @@ If you cannot find who to cc for a file, `git shortlog -n -s ` can help. [git-username]: https://help.github.com/articles/setting-your-username-in-git/ [node-core-utils-credentials]: https://github.com/nodejs/node-core-utils#setting-up-credentials [node-core-utils-issues]: https://github.com/nodejs/node-core-utils/issues -[security reporting]: ../../SECURITY.md +[security reporting]: https://github.com/nodejs/node/blob/HEAD/SECURITY.md [unreliable tests]: https://github.com/nodejs/node/issues?q=is%3Aopen+is%3Aissue+label%3A%22CI+%2F+flaky+test%22 From efe89c41003dbcfa5a31141fb4e7405a9f76c187 Mon Sep 17 00:00:00 2001 From: Michael Dawson Date: Mon, 23 Nov 2020 17:27:00 -0500 Subject: [PATCH 10/10] Update doc/guides/collaborator-guide.md Co-authored-by: mary marchini --- doc/guides/collaborator-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/guides/collaborator-guide.md b/doc/guides/collaborator-guide.md index 86d22941758dbd..d59b7a3eda3b25 100644 --- a/doc/guides/collaborator-guide.md +++ b/doc/guides/collaborator-guide.md @@ -100,7 +100,7 @@ describing a security issue, take the following steps: * Ask the originator to submit a report through Hacker one as outlined in [SECURITY.md][security reporting]. * Move the issue to the private repo called -[premature-disclosures](https://github.com/nodejs/premature-disclosures). + [premature-disclosures](https://github.com/nodejs/premature-disclosures). * For any related pull requests create an associated issue in the `premature-disclosures` repo and add a copy of the patch for the pull request, and screenshots of discussion on the PR to the issue.