Skip to content

Commit

Permalink
doc: add h1 summary to security release process
Browse files Browse the repository at this point in the history
PR-URL: #49112
Reviewed-By: Moshe Atlow <[email protected]>
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
  • Loading branch information
RafaelGSS authored and UlisesGascon committed Sep 10, 2023
1 parent 9fcd99a commit 3df2251
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions doc/contributing/security-release-process.md
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,8 @@ The current security stewards are documented in the main Node.js
* [ ] pre-release: _**LINK TO PR**_
* [ ] post-release: _**LINK TO PR**_
* List vulnerabilities in order of descending severity
* Use the "summary" feature in HackerOne to sync post-release content
and CVE requests. Example [2038134](https://hackerone.com/bugs?subject=nodejs\&report_id=2038134)
* Ask the HackerOne reporter if they would like to be credited on the
security release blog page:
```text
Expand All @@ -79,6 +81,9 @@ The current security stewards are documented in the main Node.js
between Security Releases.
* Pass `make test`
* Have CVEs
* Use the "summary" feature in HackerOne to create a description for the
CVE and the post release announcement.
Example [2038134](https://hackerone.com/bugs?subject=nodejs\&report_id=2038134)
* Make sure that dependent libraries have CVEs for their issues. We should
only create CVEs for vulnerabilities in Node.js itself. This is to avoid
having duplicate CVEs for the same vulnerability.
Expand Down

0 comments on commit 3df2251

Please sign in to comment.