My first cut:
A big thank you to all of the ethical hackers out there helping to make Node.js more secure. Check out the top contributors here: https://hackerone.com/nodejs-ecosystem/thanks and here: https://hackerone.com/nodejs/thanks
LGTM
We can probably try to tag them in the tweet or if you include a screenshot from one of those boards (maybe also an idea to split it to two tweets one about core and one about ecosystem) then you can also mention them in the image.
I'm not sure I understand what you mean by "tag" them or what you mean by mentioning them in the image?
Meant to mention them as in 'thanks to @ bl4de, @ person2, etc ...` and if we embed an image in a tweet we can also mention people.
Sorry for being unclear :-)

A big thank you to all of the ethical hackers out there helping to make Node.js more secure 馃憦
bl4de skovorodan 0xdade jzebor holyvier tungpun_ securityyasin
Check out the top contributors here: https://hackerone.com/nodejs-ecosystem/thanks and here: https://hackerone.com/nodejs/thanks

How often do we want to send a thank you out to these folks? If we want to do a weekly tweet, I can create a goggle spreadsheet and you can provide the handles for who should receive a thank you ever week - I would probably make it four per week. I would post something like. This weekly thank you goes out to XXX, XXX, XXX and XXX for helping with #nodejs security. And a general thank you to all those who help keep #nodejs safe: https://hackerone.com/nodejs/thanks.
My only concerns with this is that it might be time consuming and folks might feel a little left out if we accidentally forget them (and we want to factor in human error here too). If we want to do it monthly, then I can just post the general thank you as Michael did and link back to the thank you board. I think that's the best and we avoid any sense of favoritism. Just let me know this groups preference here and I'll get things together.
A weekly tweet is too frequent but if we keep it at a monthly I think we're good and I do think we should mention bug hunters individually - it is more personal and recognizing. We have a couple of dozens individuals which is possible to cover without leaving anyone out IMO.
I like the spreadsheet idea and I can definitely keep up with updating it as necessary.
Alright, I will be sending tweet out the 25th of every month. @lirantal if you want to populate with correct names and social handles, please add them this document: https://docs.google.com/spreadsheets/d/1yMqH9FhzmwxJuBarbqEdr2Z1Re491nt4st68HZjOHSA/edit#gid=0 Again aiming to thank four people per month, hence why June is written four times, July four times, etc. To make sure that we can track this, maybe we use the hashtag #nodejssecurity? So if you missed it when I tweet it out, it's easy to find and retweet. LMK if you prefer a different hashtag here.
I'd suggest that we also agree that in absence of data for some reason, we just do the general tweet. ie if Liran has provided the specific info for the month we use that, otherwise we use the general form.
How does that sound ?
Yes, that makes perfect sense to me. I'll just plan to check in on the 25th of every month, if we don't have any names listed, I'll draft a general tweet.
Scheduled this to go out tomorrow with the hashtag #nodejssecurity. It was a general tweet as I didn't see any folks noted in the document shared :)
Thanks Zibby for that spreadsheet!
I updated it with extra columns to give context if you want to, and added several entries.
Need to see how other triage members remember to update it as well once they disclose vulnerabilities or handle reports in general, and how in general we don't forget every month to update it :-)
@lirantal we probably also need to document this as a "process" in the repo which
The doc might actually be more general something like process for thanking ethical hackers and cover what we do in general, with the initial content being the tweets we send out
We can then use that as a pointer to send to new people who join the team, we might also want a standing issue in in the repo tagged securit-wg-agenda so we remember to check if we've updated it.
That's a good idea Michael. I'll open a PR and we can iterate it.
@ZibbyKeaton I have updated the shared documentation with recently disclosed vulnerabilities by different hackers and you have items there to tweet until end of September.
Than you @lirantal I missed a few of these in July, so I'll double up on a few items in August. I'll put something next to each name to confirm that the tweets have gone out in case you miss them on Twitter. I'll also be sure to hashtag them with #nodejssecurity so they are easier to find!
great thanks!
If it works for you I think we can also just do a weekly tweet for individual reports. I have added quite a few of them so it should cover us for the next 2 months or so.
@ZibbyKeaton FYI I've further updated that document with more reports for the October time-frame.
We're communicating on-track through that document so I'll close this issue and re-open if it will be necessary to revive the discussion again.