Hi!
Given that the human/time resources for triaging and processing reports are limited, I think that there should be better guidelines that would optimize for overall impact on the ecosystem and increase the effectiveness here. E.g. for HackerOne issues, there might be more churn that impact for packages with small downloads number.
So, my suggestion would be to:
Some stats:
I generaly agree here. The triage team is under very heavy load right now and reducing scope might make sense.
Also, I would temper item (1) byt: If someone in the triag team feel like a report is woth it, he can still triage it even if unpopular.
I'd like to have your opinions @lirantal @gergelyke and @reedloden :)
I love this - I'd argue, that if we do the lower limit we should even accept reports that do not meet that threshold. If we'd say, for those feel free to directly reach out to the author / open a PR, we could free up a lot of resources on our end, and we could focus more on the more important reports.
Of course, if we will ever run out of them, we can rethink those thresholds. What do you think about it?
Maybe instead introducing thresholds, you could just add to program policy an information that reports about issues in less popular/old/not maintained modules will not be triagged immediately, only when triage team will have no other reports to verify/triage/resolve?
That's a good suggestion considering the workload we're currently handling.
My only concern is that we don't want to "scare off" new bug hunters to the program just because they won't be able to find security issues in the top 7% npm modules. This is why I wouldn't want to set hard limits on threshold, and instead I'd prefer to update the policy to convey that we give more popular modules a higher attention priority and we encourage bug hunters to reach out via a repo issue to the maintainers to work with them on the fix while still having the report submitted to HackerOne so they can earn the reputation points etc.
I wonder if tagging reports based on the criteria to indicate a priority level would be useful? Instead of a cutoff the tagged priority would indicate how quickly it might be triaged (we might even document expectations). That would also allow us to adjust priority assigned to specific reports when the case can be made that it's more/less important than the metric we apply suggests.
Perhaps it could be added as a mere recommendation for now to the h1 page?
E.g.:
I wonder if it's not too confusing or would sound like an "extra work" for someone who will be reporting an issue and they'd just bail out of it? Maybe if we can say the same thing but a little bit more concise?
My other concern is that I wouldn't want to give a bad impression of the WG not handling modules triage of specific types. I think we can do a better job to quickly triage a module that has low impact in the sense of asking the reporter to actively contact the maintainer and for us inviting them to the conversation is pretty easy.
It sounds like there is some consensus here on updating the triage process to be somewhat aware of the significance of the package affected.
Would someone be interested in updating the process description? Or, perhaps that has already happened and this can be closed?
Most helpful comment
Perhaps it could be added as a mere recommendation for now to the h1 page?
E.g.: