Potential stagnation of open issues on h1 bounty program #654
Comments
|
thanks @sam-github |
|
I apologies for that @phra. We are way behind on many reports and have taken actionable steps previously too to ensure we prioritize correctly with the limited time folks here have but that's still hard. We are welcoming others to join and have recently added a couple more but that's still not scalable with the amount of reports we're getting. I'm happy to hear any ideas you have on #604 as Sam mentioned. |
|
i have commented on #604 |
|
I would let you know that the number of issues in the bounty program is too big and the situation is becoming untenable. There are weeks of full time work to exhaust that pipeline and no one who is going to do them. |
|
Should we stop accepting new reports until we decide on the new direction and act on that decision? I think we probably should. |
|
@nodejs/security-wg I'd love your opinion ☝️. |
I think we should keep accepting them for projects/organizations that opted in. |
|
Fair point, I agree with that. |
I agree with this. Many of the current reports are probably the same findings in different packages and so far most maintainers did not react / answer after I have informed them (so far mostly the low priority bucket ones) so in my opinion this would be helpful to accept these which opted in. |
Where is a list of projects/organizations that opted in? |
@esarafianou i think they are referring to the repo/orgs list shown on Node.js third-party modules h1 page. |
|
We add assets for every new package we have a report for. This list does not represent packages where maintainers opted in to be part of the program. |
|
@MarcinHoppe ok, so is this list available to be reviewed? 😄 a question regarding packages that instead were removed from the list (i have reports for packages that were in the list but aren't anymore): does it mean that the maintainers opted out or something else? |
|
The best link I think there is is this one: @lirantal @vdeturckheim is this the correct list of packages that have the maintainer opt-in? |
|
This one that have confirmed: https://github.com/nodejs/security-wg/blob/master/processes/bug_bounty_criteria.md#confirmed |
|
This list seems to be a year old. If we are to allow packages whose maintainers have opted-in, I think it's valuable to reach out to the maintainers once again to verify that they still wish to be in the program. |
|
I think the situation of the H1 program is getting severe. I've tagged this as tsc-agenda. I strongly recommend to shut the program down. |
|
I agree, I think the fact that it is open sets the expectations we are currently not able to meet. |
|
@mcollina any feedback from the TSC? |
|
Sorry meant to post this to the issue, from the minutes:
|
|
Hi all, We'd be happy to support the program over at www.huntr.dev. We're rebuilding our disclosure process at the moment, including support for private disclosure and incentivising security researchers and maintainers for securing open source code. Perhaps I could introduce myself and what we're building at a future meeting? |
|
@adam-nygate +1 to doing an introduction. One question in advance. From the part on the web site on disclosing a vulnerability, it seems to say to open a pull request. Does that mean the vulnerability is immediately public? |
Great @mhdawson, could you let me know where I can register to attend the next meeting?
Yes, we built our current disclosure process pretty quickly and around GitHub Issues (which are public by default), we were hoping for GitHub to bring out private issues or to expand the functionality of their security advisory feature, but now our plans are to build out a new disclosure process that supports both full and coordinated disclosure, allowing the Maintainer of a project to choose. |
|
How does this compare to HackerOne? |
|
@mhdawson 9:30 would work. |
|
Invite sent |
|
Thanks! Confirmed I got it and sent internally for folks to join. |
|
I'm going to close this one out. From what I understand all triage issues have been closed as outlined in: https://nodejs.medium.com/node-js-ecosystem-vulnerability-reporting-program-winding-down-591d9a8cd2c7 @lirantal mentioned that there are a small number of issues that need to be "triaged" then close in a similar manner but he is planning to do that this week. |
|
@mhdawson et all - I now finished reviewing all the pending reports too and the HackerOne inbox for the ecosystem security working group is now clear.
|
Hello,
I've recently open few issues on the 3rd party modules h1 bounty program and I'm noticing a bit of delay in responses from the team, e.g. a bug that was fixed two months ago after I contacted the developer myself is still in triaged status without any response but h1 staff ones.
I understand the amount of effort involving managing the program itself but leaving open issues for a long time without any interaction can damage the whole initiative, especially when the only party not actively participating in the resolution are the program managers themselves.
Do you have any thoughts on how we can improve the bug hunters' experience by providing a smoother resolution and achieve more prompt reactions?
I maybe have a couple of suggestions already, that are:
I will be happy to hear from you what are your thoughts on this particular topic.
PS: I can eventually be available to help with the program in my spare time.
EDIT: regarding 1., I noticed that a process is already defined here.
The text was updated successfully, but these errors were encountered: