nodejs/security-wg

Name: security-wg

Owner: Node.js Foundation

Description: Node.js Security Working Group

Created: 2016-11-29 15:16:52.0

Updated: 2018-05-22 23:57:35.0

Pushed: 2018-05-22 23:57:33.0

Homepage: null

Size: 540

Language: JavaScript

GitHub Committers

User	Most Recent Commit	# Commits

Other Committers

User	Email	Most Recent Commit	# Commits

README

Security Working Group

Note: this group is in the process of seeking Charter by the TSC (https://github.com/nodejs/TSC/issues/486)

Mandate

The Security Working Group's purpose is to achieve the highest level of security for Node.js and community modules.

Its responsibilities are:

• Define and maintain security policies and procedures for:
• the core Node.js project
• other projects maintained by the Node.js Foundation technical group
• Work with the node security project to bring community vulnerability data into the foundation as a shared asset.
• Set up processes and procedures and follow these to ensure the vulnerability data is updated in an efficient and timely manner. For example, ensuring there are well documented processes for reporting vulnerabilities in community modules.
• Work to set a high standard for the Node.js project. Possibly efforts could include penetration testing, security reviews etc, review guidelines, coding standards etc.
• Review and recommend processes for handling of security reports (but not the actual handling of security reports, which are reviewed by a group of people directly delegated to by the TSC).
• Define and maintain policies and procedures for the coordination of security concerns within the external Node.js open source ecosystem.
• Offer help to npm package maintainers to fix high-impact security bugs
• Maintain and make available data on disclosed security vulnerabilities in:
• the core Node.js project
• other projects maintained by the Node.js Foundation technical group
• the external Node.js open source ecosystem
• Promote improvement of security practices within the Node.js ecosystem
• Recommend security improvements for the core Node.js project
• Facilitate and promote the expansion of a healthy security service and product provider ecosystem vulnerabilities.

Private Node.js core security group

The Node.js Security Working Group is not responsible for managing incoming security reports to the security@nodejs.org address, nor is it privy to or responsible for preparing embargoed security patches and releases.

The Node.js TSC maintains primary responsibility for the management of private security activities for Node.js core but relies on the Node.js Security Working Group to recommend and help maintain policies and procedures for that management.

Node.js Bug Bounty Program

The Node.js project engages in an official bug bounty program for security researchers and responsible public disclosures.

The program is managed through the HackerOne platform at https://hackerone.com/nodejs with further details.

Participate in Reponsible Security Disclosure

As a module author you can provide your users with security guidelines regarding any exposures and vulnerabilities in your project, based on a responsible dislcosure policy document we've already put in place.

You can show your users you take security matters seriously and drive higher confidence by following any of the below suggested actions:

1. Adding a SECURITY.md file in your repository that you can copy&paste from us. Just like having a contribution of code of conduct guidelines, a security guideline will help user or bug hunters with the process of reporting a vulnerability or security concern they would like to share.

2. Adding our Responsible Security Dislosure badge to your project's README which links to the SECURITY.md document.

Current Project Team Members

• bengl - Bryan English
• brycebaril - Bryce Baril
• ChALkeR - ????????? ?????? ?????????
• cjihrig - Colin Ihrig
• dgonzalez - David Gonzalez
• deian - Deian Stefan
• digitalinfinity - Hitesh Kanwathirtha
• dougwilson - Doug Wilson
• drifkin - Devon Rifkin
• evilpacket - Adam Baldwin
• gergelyke - Gergely Nemeth
• gibfahn - Gibson Fahnestock
• grnd - Danny Grander
• jasnell - James M Snell
• jbergstroem - Johan Bergström
• joshgav - Josh Gavant
• lirantal - Liran Tal
• MarcinHoppe - Marcin Hoppe
• mcollina - Matteo Collina
• mdawson - Michael Dawson
• mgalexander - Michael Alexander
• ofrobots - Ali Ijaz Sheikh
• roccomuso - Rocco Musolino
• sam-github - Sam Roberts
• shigeki - Shigeki Ohtsu
• SomeoneWeird - Adam Brady
• vdeturckheim - Vladimir de Turckheim