mirrors/nodejs
mirrors/nodejs
0
0
Fork 0
mirror of https://github.com/nodejs/node.git synced 2024-11-21 21:19:50 +01:00
Code Issues Releases Activity

doc: add h1 summary to security release process

Browse Source 
PR-URL: https://github.com/nodejs/node/pull/49112
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
This commit is contained in:
Rafael Gonzaga 2023-08-17 16:40:20 -03:00 committed by GitHub
parent 478ca18fd7
commit 3af65855c5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
doc/contributing/security-release-process.md
View File

@ -56,6 +56,8 @@ The current security stewards are documented in the main Node.js
* [ ] pre-release: _**LINK TO PR**_
* [ ] post-release: _**LINK TO PR**_
* List vulnerabilities in order of descending severity
* Use the "summary" feature in HackerOne to sync post-release content
and CVE requests. Example [2038134](https://hackerone.com/bugs?subject=nodejs\&report_id=2038134)
* Ask the HackerOne reporter if they would like to be credited on the
security release blog page:
```text
@ -79,6 +81,9 @@ The current security stewards are documented in the main Node.js
between Security Releases.
* Pass `make test`
* Have CVEs
* Use the "summary" feature in HackerOne to create a description for the
CVE and the post release announcement.
Example [2038134](https://hackerone.com/bugs?subject=nodejs\&report_id=2038134)
* Make sure that dependent libraries have CVEs for their issues. We should
only create CVEs for vulnerabilities in Node.js itself. This is to avoid
having duplicate CVEs for the same vulnerability.