Skip to content
This repository has been archived by the owner on Oct 7, 2020. It is now read-only.

Create a security team #48

Closed
rvagg opened this issue Jun 3, 2015 · 22 comments
Closed

Create a security team #48

rvagg opened this issue Jun 3, 2015 · 22 comments
Labels

Comments

@rvagg
Copy link
Member

rvagg commented Jun 3, 2015

We need a small group of people who receive emails to security@ addresses (currently just [email protected] because that's all I have control over, but eventually [email protected] too).

My preference would be for it not to be the entire TSC but a smaller subgroup that can quickly and discretely and escalate issues in the appropriate way. But how we construct this is open for discussion of course.

I'd like to put my hand up for serving in this role along with a couple of others.

Discuss.

@rvagg
Copy link
Member Author

rvagg commented Jun 3, 2015

Also:

This is currently being controlled here: https://github.com/nodejs/email/blob/master/iojs.org/aliases.json

We'd need a ## Security section on the README to list this and explain the steps to take if you find a vulnerability.

@bnoordhuis
Copy link
Member

I volunteer. Do I need to file a PR for that aliases file?

Also, /cc @nodejs/crypto - I believe @indutny is or was on [email protected] and @shigeki probably makes a good addition as well.

@rvagg
Copy link
Member Author

rvagg commented Jun 3, 2015

let's see how it shakes out in discussion, the TSC probably needs to sign off on the final list, we'll give it another week

@indutny
Copy link
Member

indutny commented Jun 3, 2015

Add me up.

@indutny
Copy link
Member

indutny commented Jun 3, 2015

Btw, it is probably a good manner to cc people when issue is created. Not everyone is watching the repo.

@rvagg
Copy link
Member Author

rvagg commented Jun 3, 2015

/cc @nodejs/tsc

@Fishrock123
Copy link
Contributor

Original issue: nodejs/node#430

@jasnell
Copy link
Member

jasnell commented Jun 3, 2015

+1... Sign me up!

@cjihrig
Copy link
Contributor

cjihrig commented Jun 3, 2015

I would like to be on the list.

@shigeki
Copy link

shigeki commented Jun 3, 2015

Please add me to the list.

@mhdawson
Copy link
Member

mhdawson commented Jun 3, 2015

I'd like to be on the list as we need to quickly address issues in the IBM internal builds as well

@rvagg
Copy link
Member Author

rvagg commented Jun 10, 2015

Proposing a security@ team:

@misterdjules
Copy link

Joining the discussion a bit late, sorry about that. There is already a [email protected] mailing list, and a process outlined at https://nodejs.org/about/security/ that a lot of people have been using to report security issues. Why not start from here?

@rvagg If you're interested in having control over the management of the [email protected] mailing list, just say the word.

@trevnorris
Copy link
Contributor

Is there a passive participant position? Want to be part of this so I know what's going on, but doubt I'll have much to contribute outside of any security bugs I find.

@misterdjules
Copy link

@rvagg Also, in case it wasn't clear, I should mention that Todd Benzies from the Linux Foundation is now managing the nodejs.org Google Apps domain, so it's really managed by the Node.js Foundation, not Joyent.

@rvagg
Copy link
Member Author

rvagg commented Jun 11, 2015

@misterdjules thanks for the context, I wasn't aware of the Node.js security@ list or procedure (although I was looped in to the recent HP email thread which I guess should have clued me in!). I did a quick search of the repo / README and didn't see anything and since we don't have anything for iojs.org I figured this would be an overlapping concern but it seems not, yet anyway!

This actually comes from finally having MX set up for iojs.org so we can do email addresses and the only really pressing one is security@ so I wanted a list of people to put here: https://github.com/nodejs/email/blob/master/iojs.org/aliases.json - I also assumed we'd use the same setup (Mailgun) for nodejs.org continuing on from this issue.

I'm happy to sit on this issue for now then, since we have a [email protected] procedure in place that's all good. I'll set up an interim thing for iojs.org.

@rvagg
Copy link
Member Author

rvagg commented Jun 11, 2015

@bnoordhuis
Copy link
Member

Who is going to add the people on the list to [email protected]?

@misterdjules
Copy link

@bnoordhuis @tbenzies from the Linux Foundation can do that.

@misterdjules
Copy link

Sent an email to Todd Benzies and asked him if he can join this thread.

@tbenzies
Copy link

The following people have been added to [email protected]:

@rvagg
@bnoordhuis
@indutny
@jasnell
@cjihrig
@shigeki
@mhdawson

However, [email protected] is bouncing -- is there a different email address that I can use?

@misterdjules
Copy link

Thank you @tbenzies!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

No branches or pull requests