From my initial notes, please edit to add what I'm missing (we'll discuss in WG meeting):
(part of this had been sent via e-mail, but moving it to this task)
Great to see this, and more than happy to help get things going from the HackerOne side!
@vdeturckheim -- My recommendation would be to set up a separate HackerOne program just for Node.js module vulnerabilities (separate from Node.js core issues). Perhaps https://hackerone.com/nodesecurity or something similar? You can just go to https://hackerone.com/teams/new to create a new program. Having a separate program makes it way easier to route issues to the right team, especially as per the other discussions I've seen about having Node.js core security issues be restricted to a much smaller group.
As far as pulling data from HackerOne, we have a full API available at https://api.hackerone.com/
@reedloden thanks a lot. Yes, after playing abit with HackerOne, I got to the same conclusion, having two teams is the easiest way to go for us.
I'll create this team tonight or this weekend.
@sam-github just wondering if you are still planning to get to the action you are tagged with in the description,
@sam-github im joining michael on the ping - if this is something you want to pass-on let me know and I'll be happy to jump in and help.
I think right now @lirantal is the most active on that front right?
@mhdawson is there anything specific that we need to discuss today, or can the security-wg-agenda label be removed (it's been there since November 2017)? My guess is that it can be removed.
I think it would be worthwhile to get an update on @lirantal. If he's not heard back from Sam we should discuss how progress is made on the remaining items.
Didn't get an update from Sam, but I did start working on tooling around the HackerOne platform and automating vulnerability triage/reporting.
I'll further update on the issue when I have some of those tooling to share (waiting on some APIs from the HackerOne platform).
In the meanwhile I assigned the ticket to myself, Sam and Vladimir so I can track it better.
@lirantal thanks for the update.
Chiming back on this issue:
I am happy to build a thing that pulls the info from the nsp. @lirantal What kind of help do we need from @sam-github and @evilpacket ? I am not fully sure I understand everything yet.
@pxlpnk unfortunately I don't have anything on it either. I tried to ping both of them a while ago as well but didn't get any response.
We need some background info on how/where to pull in the data from NSP.
I reached out to @evilpacket directly through email asking he comment here.
We have a running process.
Most helpful comment
@lirantal thanks for the update.