-
-
Notifications
You must be signed in to change notification settings - Fork 7
Process to handle security reports #56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from 2 commits
Commits
Show all changes
24 commits
Select commit
Hold shift + click to select a range
1461f86
docs: add document to handle security reports
UlisesGascon c30511c
docs: add Security Report Handling Flowchart
UlisesGascon 1a9042a
docs: add roles
UlisesGascon 7aac07b
docs: add runbook
UlisesGascon 03d7b60
Update docs/handle_security_reports.md
UlisesGascon dba71a6
Update docs/handle_security_reports.md
UlisesGascon 99b4102
Update docs/handle_security_reports.md
UlisesGascon 054ab8a
fix: format issues
UlisesGascon 707c04d
Update docs/handle_security_reports.md
UlisesGascon eec7b04
Update docs/handle_security_reports.md
UlisesGascon de83da8
Update docs/handle_security_reports.md
UlisesGascon e88d94d
Update docs/handle_security_reports.md
UlisesGascon ee83fa1
Update docs/handle_security_reports.md
UlisesGascon 799e888
Update docs/handle_security_reports.md
UlisesGascon 315b02c
Update docs/handle_security_reports.md
UlisesGascon 183adc6
Update docs/handle_security_reports.md
UlisesGascon 014a4b1
Update docs/handle_security_reports.md
UlisesGascon fbc2d2c
Update docs/handle_security_reports.md
UlisesGascon fa6bf1b
Update docs/handle_security_reports.md
UlisesGascon 6bb6700
Update docs/handle_security_reports.md
UlisesGascon 0241b7c
Update docs/handle_security_reports.md
UlisesGascon 2544711
Update docs/handle_security_reports.md
UlisesGascon 38b6532
Update docs/handle_security_reports.md
UlisesGascon 8c09fbb
Update docs/handle_security_reports.md
UlisesGascon File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| # Security Report Handling Process | ||
| **Version:** 1.0 | ||
| **Last Updated:** March 2025 | ||
| **Maintainers:** Security Triage Team | ||
|
|
||
| ## Introduction | ||
| Security is a top priority for the Express.js project. This document outlines the **formal process** for handling **security reports**, including how to **triage**, **assess**, and **disclose** vulnerabilities responsibly. | ||
|
|
||
| ## Scope | ||
|
|
||
| The Security Triage Team will use this document as a process guide when a security vulnerability is reported, from triage to resolution. This process must align with the project's [SECURITY policy](https://github.com/expressjs/.github/blob/master/SECURITY.md) and cannot diverge significantly. | ||
|
|
||
|
|
||
| ## Security Report Handling Flowchart | ||
| The following diagram details the **decision-making process** for handling security reports: | ||
|
|
||
| ```mermaid | ||
| flowchart TD | ||
| A[Security Report Received] --> B[Assign Security Report Coordinator] | ||
| B --> E{Premature Disclosure?} | ||
|
|
||
| E -- No --> J[Proceed with Standard Private Process] | ||
| E -- Yes --> F[Privatize Disclosure] | ||
UlisesGascon marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| F --> G[Handle Related PRs & Issues] | ||
| G --> H[Request GitHub to Remove Public PR/Issues] | ||
| H --> I[Create Public Placeholder Issue] | ||
bjohansebas marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| I --> J[Acknowledge within 5 days to the Reporter] | ||
UlisesGascon marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| J --> K[Create Issue in Triage Repo for Visibility] | ||
|
|
||
| K --> L[Assess Report] | ||
UlisesGascon marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| L --> M{Enough Information?} | ||
|
|
||
| M -- No --> N[Request Additional Info] | ||
| N --> L[Assess Report] | ||
|
|
||
| M -- Yes --> O{Valid Vulnerability?} | ||
| O -- No --> X[Close Report as Invalid] | ||
| X --> Y[Acknowledge within 10 days to the Reporter] | ||
|
|
||
| O -- Yes --> Q[Create Advisory] | ||
| Q --> Q1[Calculate CVSS Score] | ||
UlisesGascon marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| Q1 --> Q2[Request a CVE] | ||
|
|
||
| Q2 --> R{Patch Required?} | ||
|
|
||
| R -- No --> Z[Public Disclosure] | ||
|
|
||
| R -- Yes --> T[Develop Patch] | ||
| T --> U[Test Solution] | ||
| U --> V[Add Regression Testing] | ||
UlisesGascon marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| V --> W[Create a Security Release with CVE Included] | ||
| W --> Z[Public Disclosure] | ||
| Z --> Z1[Notify Community] | ||
UlisesGascon marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| Z1 --> Z2[Official Blog Post] | ||
| Z1 --> Z3[Social Media Announcements] | ||
| ``` | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.