|
7 | 7 | * [Closing issues and pull requests](#closing-issues-and-pull-requests) |
8 | 8 | * [Author ready pull requests](#author-ready-pull-requests) |
9 | 9 | * [Handling own pull requests](#handling-own-pull-requests) |
| 10 | + * [Security issues](#managing-security-issues) |
10 | 11 | * [Accepting modifications](#accepting-modifications) |
11 | 12 | * [Code reviews](#code-reviews) |
12 | 13 | * [Consensus seeking](#consensus-seeking) |
@@ -87,6 +88,33 @@ to land but is [author ready](#author-ready-pull-requests), add the |
87 | 88 | `author ready` label. If you wish to land the pull request yourself, use the |
88 | 89 | "assign yourself" link to self-assign it. |
89 | 90 |
|
| 91 | +### Managing security issues |
| 92 | + |
| 93 | +Security issues should ideally be reported through the processes outlined in |
| 94 | +[SECURITY.md][security reporting]. This allows the collaborators to |
| 95 | +appropriately triage the report and address vulnerabilities in a planned |
| 96 | +security release. If an issue is opened in the public repo |
| 97 | +which describes a security issue, or if an issue is later identified to be |
| 98 | +describing a security issue, take the following steps: |
| 99 | + |
| 100 | +* Ask the originator to submit a report through Hacker one as outlined in |
| 101 | + [SECURITY.md][security reporting]. |
| 102 | +* Move the issue to the private repo called `premature-disclosures` |
| 103 | +* For any related pull requests create an associated issue in the |
| 104 | + `premature-disclosures` repo and add a copy of the patch for the |
| 105 | + pull request, and screenshots of discussion on the PR to the issue. |
| 106 | +* Open a ticket with GitHub asking that the PRs be deleted through |
| 107 | + [GitHub suppport](https://support.github.com/contact) |
| 108 | + using Node.js(team) as the account organization. |
| 109 | +* Open a new issue in the repository in which the issue was originally |
| 110 | + reported with a brief FYI to the originator. `FYI @xxxx we asked github |
| 111 | + to delete your PR while we work on releases in private.` with the title |
| 112 | + `FYI - PR deleted #YYYY`. |
| 113 | +* Email `[email protected]` with the link to the issues in the |
| 114 | + `premature-disclosures` repo so that the TSC is aware that they |
| 115 | + may need to expidite handling of the issue due to premature |
| 116 | + disclosure. |
| 117 | + |
90 | 118 | ## Accepting modifications |
91 | 119 |
|
92 | 120 | Contributors propose modifications to Node.js using GitHub pull requests. This |
@@ -792,3 +820,4 @@ If you cannot find who to cc for a file, `git shortlog -n -s <file>` can help. |
792 | 820 | [node-core-utils-credentials]: https://github.com/nodejs/node-core-utils#setting-up-credentials |
793 | 821 | [node-core-utils-issues]: https://github.com/nodejs/node-core-utils/issues |
794 | 822 | [unreliable tests]: https://github.com/nodejs/node/issues?q=is%3Aopen+is%3Aissue+label%3A%22CI+%2F+flaky+test%22 |
| 823 | +[security reporting]: https://github.com/nodejs/SECURITY.md |
0 commit comments