Security-wg: Security WG meeting 2017-10-12

Created on 10 Oct 2017  路  8Comments  路  Source: nodejs/security-wg

When

Thursday, Aug 12th, 2017, 20:00 UTC: other timezones

Where

Agenda

  • threat model for Node.js (https://github.com/nodejs/security-wg/issues/51)
  • add Daniel Kluss (https://github.com/nodejs/security-wg/issues/50)
  • Have node become a CNA, so it can issue its own CVEs (https://github.com/nodejs/security-wg/issues/33)
  • Review WG notes, and develop plans/action items/TODO lists to do the things we want. https://github.com/nodejs/security-wg/issues/53
  • ... (anyone is free to edit in more to the agenda, or comment below)
wg-agenda

Most helpful comment

Would be good to recap quickly some of the discussion that happened at Node Interactive security dinner and raise those items for group commentary.

Things I remember discussing not already on the agenda

  • Committing to HackerOne for core & community (modules) reporting of vulnerabilities
  • Defining who can see what during the process
  • Documenting in detail the process for vulnerability ingesting, triage, management and disclosure,
    ISO 29147 [zip]

Some additional evidence with regard to HackerOne in the form of compliance with the ISO 29147 / ISO 30111

All 8 comments

Would be good to recap quickly some of the discussion that happened at Node Interactive security dinner and raise those items for group commentary.

Things I remember discussing not already on the agenda

  • Committing to HackerOne for core & community (modules) reporting of vulnerabilities
  • Defining who can see what during the process
  • Documenting in detail the process for vulnerability ingesting, triage, management and disclosure,
    ISO 29147 [zip]

Some additional evidence with regard to HackerOne in the form of compliance with the ISO 29147 / ISO 30111

I can't make it today, but for "Have node become a CNA, so it can issue its own CVEs" one discussion point is whether it makes sense to make that effort ourselves, or simply use HackerOne (which is a CNA) to issue CVEs

I'll setup the call info in 20 minutes, doing it late makes the hangouts work better.

I posted the call URL: https://hangouts.google.com/hangouts/_/jyz5dlubsnh4vjajxajcwmgoeae

The call starts in one hour, the Node.js calendar is wrong, I'll see if I can change it (I think I was given permission).

@Trott I think you tried to give me edit permission on the Node.js Foundation calendar, but I can't move the sec-wg meeting time to the correct one (an hour from now, 1pm PST).

Can you try again? Or did I miss an invite email I had to accept? Not really sure how it works.

Or @mhdawson or @MylesBorins , do either of you have the power to give me edit access to the foundation calendar? Michael, can you sync up the calendar time with the correct time for this meeting?

@Trott I think you tried to give me edit permission on the Node.js Foundation calendar, but I can't move the sec-wg meeting time to the correct one (an hour from now, 1pm PST).

No, wasn't me. Maybe @williamkapke?

I moved the meeting time to 1PM PDT.

RE: Calendar Access:
https://github.com/nodejs/admin#nodejs-foundation-calendar

reminder: meeting starting in a couple minutes @nodejs/security-wg

Was this page helpful?
0 / 5 - 0 ratings