Security-wg: HackerOne help

Created on 20 Apr 2018  路  13Comments  路  Source: nodejs/security-wg

Hello, I have a HackerOne report but I'm not getting any replies. I then tried to email [email protected] and then [email protected] but both go to HackerOne. What is the method to get a hold of someone. I'm trying to get a resolution on an issue before I leave in a few hours on vacation.

Most helpful comment

@dougwilson Sorry for a late response but I am in a different timezone (CEST) and was away from the keyboard for a couple of hours. I did not mean to neglect your messages, just did not get them.

I responded on the HackerOne report and I think we are in a good shape right now. The change to the simple sample in the README is a sufficient remediation.

Thanks for your patience!

All 13 comments

Hey @dougwilson ... hmmm I'm looking at the HackerOne project for nodejs and it's not showing up there. Is the report for Node.js core or an ecosystem module? There are two separate HackerOne accounts, only one of which I can see.

Do you have access to the https://github.com/nodejs-private/security repo? If neither HackerOne account is working for you, and if you have access there, open an issue in that repo. Otherwise, feel free to send me an email with the issue and I'll get the report opened.

We're still ironing out some issues with the HackerOne switch so apologies for the difficulty.

Definitely hope you enjoy your vacation!

Sorry, I didn't fully expand in my issue above, my bad :) So this is an ecosystem report that is already open against a module I maintain. I was not invited to the report until this morning, and want to get a fix out as soon as possible, especially since I'm just about to take extended leave from Node.js due to lack of Internet connectivity. I don't have the link handy at the moment, but the issue title starts with [send] in the ecosystem HackerOne section.

@dougwilson The last reply was 4 hours ago (from the original reporter). I understand you're trying to depart soon, but everybody who handles ecosystem vulnerabilities is a volunteer and does this on a best-effort basis. I've poked the right people, but no promises that somebody will be able to get you a reply ASAP.

@dgonzales will look into it asap (or so he told me).

@dougwilson Sorry for a late response but I am in a different timezone (CEST) and was away from the keyboard for a couple of hours. I did not mean to neglect your messages, just did not get them.

I responded on the HackerOne report and I think we are in a good shape right now. The change to the simple sample in the README is a sufficient remediation.

Thanks for your patience!

Maybe we should update our HackerOne page with a link to our Slack. That's probably the best way to obtain quick support from the triage team.
Also, a few of us are unavailable this week/weekend :/

Maybe we should update our HackerOne page with a link to our Slack.
馃憤

The HackerOne report in question has now been closed. Are we good to close this issue?

I'd prefer to have a separate issue to add Slack info on the HackerOne page.

I think we are good yes.

It looks like we have a consensus (or at least nobody voiced any objections). Closing.

Yes, I have some super slow Internet right now and I did get help Friday and so this can be closed. A Slack group would be awesome for the future :+1:

@vdeturckheim updated the Node.js Ecosystem landing page with that info https://hackerone.com/nodejs-ecosystem/

thanks for your input and patience @dougwilson

Was this page helpful?
0 / 5 - 0 ratings

Related issues

sam-github picture sam-github  路  7Comments

mhdawson picture mhdawson  路  5Comments

joker314 picture joker314  路  4Comments

MarcinHoppe picture MarcinHoppe  路  5Comments

didac-pf picture didac-pf  路  5Comments