Security-wg: Implement process for management of thirdparty vulnerabilities

Created on 11 Oct 2017  路  14Comments  路  Source: nodejs/security-wg

From my initial notes, please edit to add what I'm missing (we'll discuss in WG meeting):

  • [x] (@sam-github) Setup storage for vulnerabilities and seed with nsp data. We are using JSON files committed into github repo
  • [x] (@vdeturckheim) Set up HackerOne teams and workflow
  • [x] document the process, so people know what the process is we are using the tool for
  • [x] (@lirantal) Implement script to pull vulns from HackerOne into github ready JSON. see PR https://github.com/nodejs/security-wg/pull/234
  • [ ] (@lirantal) Implement script to pull new vulns from Node Security Project (ones received after the intial dump) into github ready JSON - temporary measure until the nodefoundation becomes the primary reporting endpoint, at which point we can stop scraping
  • [x] PR change to email address alias to direct vulnerability reports to HackerOne
  • [x] PR change to https://nodejs.org/en/security/ to direct thirdparty package vulnerabilities be reported to Node Foundation, not Node Security Project

Most helpful comment

@lirantal thanks for the update.

All 14 comments

(part of this had been sent via e-mail, but moving it to this task)

Great to see this, and more than happy to help get things going from the HackerOne side!

@vdeturckheim -- My recommendation would be to set up a separate HackerOne program just for Node.js module vulnerabilities (separate from Node.js core issues). Perhaps https://hackerone.com/nodesecurity or something similar? You can just go to https://hackerone.com/teams/new to create a new program. Having a separate program makes it way easier to route issues to the right team, especially as per the other discussions I've seen about having Node.js core security issues be restricted to a much smaller group.

As far as pulling data from HackerOne, we have a full API available at https://api.hackerone.com/

@reedloden thanks a lot. Yes, after playing abit with HackerOne, I got to the same conclusion, having two teams is the easiest way to go for us.

I'll create this team tonight or this weekend.

@sam-github just wondering if you are still planning to get to the action you are tagged with in the description,

@sam-github im joining michael on the ping - if this is something you want to pass-on let me know and I'll be happy to jump in and help.

I think right now @lirantal is the most active on that front right?

@mhdawson is there anything specific that we need to discuss today, or can the security-wg-agenda label be removed (it's been there since November 2017)? My guess is that it can be removed.

I think it would be worthwhile to get an update on @lirantal. If he's not heard back from Sam we should discuss how progress is made on the remaining items.

Didn't get an update from Sam, but I did start working on tooling around the HackerOne platform and automating vulnerability triage/reporting.

I'll further update on the issue when I have some of those tooling to share (waiting on some APIs from the HackerOne platform).

In the meanwhile I assigned the ticket to myself, Sam and Vladimir so I can track it better.

@lirantal thanks for the update.

Chiming back on this issue:

  • I updated the to-do list by toggling on the 4th item about pulling reports from HackerOne into our DB due to https://github.com/nodejs/security-wg/pull/234
  • I believe @pxlpnk could help pick up the NSP migration into our DB but regardless to who will do it we still need @sam-github or @evilpacket's help to get around things.

I am happy to build a thing that pulls the info from the nsp. @lirantal What kind of help do we need from @sam-github and @evilpacket ? I am not fully sure I understand everything yet.

@pxlpnk unfortunately I don't have anything on it either. I tried to ping both of them a while ago as well but didn't get any response.

We need some background info on how/where to pull in the data from NSP.

I reached out to @evilpacket directly through email asking he comment here.

We have a running process.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

sam-github picture sam-github  路  33Comments

vdeturckheim picture vdeturckheim  路  28Comments

sam-github picture sam-github  路  41Comments

lirantal picture lirantal  路  43Comments

bmeck picture bmeck  路  34Comments