[TSC] RFC: Define a process for reporting and dealing with security vulnerabilities

[benjie]

We don't seem to have an official way of dealing with security vulnerability reports currently, nor, as far as I can tell, an official way of reporting them. I believe it should be the TSC's responsibility to deal with security vulnerabilities and alert the relevant people, but as far as I know we don't really have an internal process for this currently. I'd like to propose to the TSC that we address this.

@brianwarner Has proposed the following text (which I have lightly edited) as a starting point:

"The GraphQL TSC is in an elevated position of trust within the GraphQL community. Security concerns that impact repos under the graphql GitHub org (including reference implementations and official tools) may be responsibly disclosed to the TSC via any current TSC member, with the expectation that they will be discussed and triaged by the TSC as a whole.

Our goal is to provide complete, accurate, and actionable disclosures once a reported issue has been sufficiently understood and there has been a reasonable opportunity to deploy fixes responsibly. At no time should a TSC member release information on a pre-disclosed vulnerability to anyone besides other TSC members, Foundation staff, legal counsel, or required authorities unless there is consensus to do so. A TSC member may call for a formal vote to determine an appropriate path forward at any time in the process, if needed.

In the case of responsible disclosures, the TSC is expected to work in good faith toward a resolution that is in the best interest of the community, including coordinating with maintainers on pre-disclosure patches and the CVE process. As responsible and knowledgable stewards of the GraphQL ecosystem, the TSC is empowered to negotiate the priority level and timelines for announcements and fixes.

In the case of irresponsible disclosure, regardless of the circumstances, the TSC is expected to make themselves available to convene urgently and to decide upon a communications and action plan."

I plan to present this at the next GraphQL TSC meeting (which is the next GraphQL WG meeting) - I'll be filing the agenda item shortly.

[acao]

Thanks for doing this! Let me know how I can help! From this we can create a security policy document to add to each of the repos.

[saihaj]

related graphql/graphql-js-wg#42