Security Working Group Purpose proposal

[rvagg]

Got some suggestions?

[indutny]

👍

[evilpacket]

👍

[deian]

This may be a bit pedantic, but I think safety (e.g., memory and type safety) seems like a related important goal for something like this group (even though they may not always have security implications).

[mcollina]

I would add, "help maintainers fix high-impact security vulnerabilities". We have huge technical skills in the team, and we might help maintainers in need. Maintaining OSS is hard, and having a place where they can ask for help might be very interesting.

[jasnell]

It would certainly be good to have a process in place to help developers mitigate those node related security issues. This, of course could take quite a few forms from helping with PRs to writing up guides and documentation

[dougwilson]

I'm not sure if this belongs in here, but I would at you may want to word this appropriately, perhaps has "offer to help" or something, as I wouldn't want this to cause friction within the module space. Sometimes there are different ways to fix a security issue, and different opinions on what is inherent to a API vs an actual security issue, so wouldn't want to see people feeling like the WG is imposing themselves & opinions down on modules like law outside of the foundation :)

[mcollina]

@dougwilson let me rephrase this. There are certain vulnerabilities in the ecosystem that can affect the full Node.js project, and the public image of the Node community. We need a group of people that can help dealing with those, and possibly contain the fallout. It's not imposing, but it is if the ecosystem does not fix the issue, then we can help providing either resources or help to do it.

From a end-user point of view, if split2 has a security or DoS vulnerability, and I am hit by a truck, someone should be notified and deal with the issue.

[evilpacket]

I would agree with Matteo here. One challenge we have faced in the past that I would love to see addressed is the problem of abandoned / unmaintained, but popular packages having high impact security vulns and left without a patch or a path forward. Since we can't just do this in the public and this group will be larger and have more resources that we've ever had it would be a fantastic to be able to do this.

…

On Nov 30, 2016, at 4:52 PM, Matteo Collina ***@***.***> wrote: @mcollina commented on this pull request. In README.md <#1 (review)>: > @@ -2,7 +2,17 @@ ## Purpose -_... help fill this in!_ +* Define and maintain security policies and procedures for: + - the core Node.js project + - other projects maintained by the Node.js Foundation technical group +* Define and maintain policies and procedures for the coordination of security concerns within the external Node.js open source ecosystem I would add, "help maintainers fix high-impact security vulnerabilities". We have huge technical skills in the team, and we might help maintainers in need. Maintaining OSS is hard, and having a place where they can ask for help might be very interesting. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#1 (review)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAHEOS6e1ZPPoGYMVckIZbhCa81Kp7CEks5rDf4cgaJpZM4K_GEx>.

[mhdawson]

Any relevant content from here should be merged into #9 in favor of this pull request. @sam-github

[sam-github]

I merged all the content from #1 to #9

@rvagg can we close #1 in favour of #9, or would you like to pull text from #9 into here, and I'll close #9?

[vdeturckheim]

What would it mean in terms of actions? I don't fully understand that point. :/

[sam-github]

concrete example: https://medium.com/lift-security/were-donating-the-node-security-project-to-the-node-js-foundation-1776e351394a#.hajz1xcy7

[sam-github]

#9 landed, so closing this (Rod can always open it again if he wants to rebase or add to it)