Process to handle security reports

[UlisesGascon]

I am working on this process for the @expressjs/security-triage team.

I would love to get your feedback (@expressjs/express-tc @expressjs/security-wg @expressjs/security-triage ) on the current state before I begin defining this process in detail, as the changes will become more complex. Could you please share your first impressions of this process?

Note: This flow also covers unusual scenarios, such as when someone submits a security report as an issue or directly in a PR as a patch. I wanted to align this process with what Node.js has in place today. Reference

[bjohansebas]

In general, i'm okay

[wesleytodd]

Looks great! I know you said "early", so I look forward to seeing what else we add. I know for myself it would be awesome to have some more of these steps have more details and links, similar to a runbook format.

Aside: the mermaid rendering is awesome. I need to use this more often.

[UlisesGascon]

Looks great! I know you said "early", so I look forward to seeing what else we add. I know for myself it would be awesome to have some more of these steps have more details and links, similar to a runbook format.

100% if this mermaid flow seems "good" I will start working on the runbook part (I just wanted to avoid many logic/text changes combined). Sounds good if we include the runbook in this document and PR? Or do we prefer to do it in a separate one to simplify the review process?

[UlisesGascon]

Ok, so based on the positive early feedback on the process I included the runbook too 🥳

[UlisesGascon]

I solved the format issues in 054ab8a

[UlisesGascon]

I think that I addressed most of the comment, but let me know if I missed something or closed a discussion prematurely.

[UlisesGascon]

I am merging this now, as I plan to do an additional PR to include the new process on the Bug Bounty Program (#64 (comment)). There we can include additional changes if needed.