HackerOne's managed services #516
Comments
|
👍 from me as well. We should discuss it on a team meeting. |
|
For ecosystem, I think we will need to nail down who do we want to interact with package maintainers, the current ecosystem triage team or H1 staff. Other than that, I think it is a great offer. |
|
@dgonzalez In order to move quickly, we could schedule a meeting next week wdyt? @MarcinHoppe I have discussed it with @reedloden , contacting maintainer would still be on our hands |
|
@vdeturckheim I agree 👍. |
|
@mcollina, @rvagg, @sam-github I'm wondering what your opinions on this offer for node core vulnerabilities. I'm also wondering if some mix where first level triage is handled by both members of H1 and our existing triage team makes any sense. |
|
I saw the email and couldn't really form much of an opinion unfortunately. We don't really have a high volume and seem to be managing it OK. Maybe it would be nice to offload the "please help me uninstall node" type reports, but we don't really have a lot of those. @mcollina, you seem to be handling most of the current load, what do you reckon? |
|
We don't have much traffic on the node security front. The hard problem is not triaging those, are the actual fix which are often hard. I would actually prefer to read more about this before committing. A lot of vulnerabilities are very subtle (the boundary between a bug and a vuln is more often than not thin), and I'm not sure we should leave this to H1. Where may I read more about this topic? |
|
@mcollina I just forwarded you the email from @reedloden describbing this. |
|
I think we can try this out. |
@nodejs/tsc PTAL |
|
I think TSC should retain the management of the bounties, with a recommendation from H1. |
|
No objections on this but I agree with @mcollina with regards to the bounties |
|
To be clear about the bounties, Node.js's bounty funds come from the Internet Bug Bounty, which sets the bounty qualifications and amounts (the bounty table), generally mapped to the severity of the issue. Node.js is then free to award bounties that meet the predefined guidelines/criteria. The IBB will defer to the individual programs as to what they feel the severity is (though, recommending that something such as CVSS be utilized), but the actual bounty amounts should be in line with what the bounty table shows. If the Node.js Foundation wants to start providing additional bounty funds, then we can definitely revisit how the bounty amounts are decided. |
|
Could the email proposing the managed service be pasted in here? Or a link to some more information? I wasn't on the list of people who got it. I'm not sure what the "managed service" is. |
|
I found the email, but @reedloden perhaps the offer should be here, as well? I think the opinion of people who are currently doing node.js issue triage should weigh more heavily than those who are not (I am not). I think the managed service looks interesting. Its a one year trial, so I would be inclined to try it out and reevaluate it as it goes along, to see if it is effective for us. |
|
@sam-github Matteo has done the majority of the triaging in the past 6 months I think, so his +1 without any -1's is good enough I think. |
|
OK, that sounds like we are going to try this. @reedloden what are the next steps? |
|
@sam-github Just followed-up via e-mail to kick things off. :-) |
|
Notified Mitre that HackerOne may allocate CVEs for Node.js vulnerabilities in 2019. /cc @reedloden Hi, I'm not sure if we have to notify Mitre, or if this is the right We'll try this for 2019, and decide whether its effective or not. If Some more info in #516 Cheers, |
|
Concerning ecosystem, we just had the kick off call with H1. It will start on Monday (May 6th). |
|
I thought the kickoff was May 13th, or did ecosystem have a different one from node? |
|
@sam-github yes it was only for the ecosystem. Core one is still scheduled for May 13th |
|
Can this be closed now? |
|
@reedloden @sam-github @vdeturckheim I missed the kickoff call for this and didn't yet get a chance to watch the recording - but I did however notice HackerOne being more engaged in issues so this has indeed started already. What I'm concerned about (not in a bad way), is to make sure we track expected work from H1 ad well as from ours and update our disclosure process to accommodate this update.
|
|
H1 will do initial triage and validate the issue (including going back and forth with the reporter to ensure the issue is valid and has a working POC). From there, it is handed off to the Security WG to reach out to maintainer(s), assign a CVE, etc. |
|
Thanks Reed for chiming in. |
|
@lirantal I'd say it's something we will learn along the way with the H1 team. Wdyt? |
|
Definitely. |
@reedloden reached to us earlier this week to announce us that we could get access to HackerOne's managed services for free for both our programs.
In my understanding, this means most of the actions to manage the H1 programs will be handled by the H1 team (including first level triage, bounty management, program health reports).
This is a one year pilot program starting on April 1st therefore, if we want to move forward on this, we should take the decisions ASAP.
I am personnally +1 for having such on both programs.
@nodejs/security-wg @nodejs/security-triage wdyt?
Regarding ecosystem bug bounty, I belive a decision from the WG is enough.
Regarding core bug bounty, we might need a TSC confirmation.
The text was updated successfully, but these errors were encountered: