doc: no longer maintain a CNA structure #33639
Conversation
Node.js hasn't touched the cve-management repo since the Feb 2019 security release, we've used the HackerOne CVE allocation process. Maintaining our status as a CNA is not zero cost, there is some routine adminstration that is requested (see this doc for details). As we no longer use the CVE management process, I propose removing it. If this lands, I will go through the interactions with Mitre so that Node.js is no longer a CNA and cleanup related resources (email aliases, archive the cve-management repo, whatever else I find).
|
@jasnell I couldn't find the issue where I last brought this up in, but IIRC correctly you wanted to keep the CNA status around a bit longer, just in case we needed it. I'm just trying to remove as much adminstrative overhead as possible, if people still want to maintain this, that's OK, but I haven't seen it being used. And of course, if for some reason we decide to stop using HackerOne for any kind of reason, becoming a CNA was pretty easy, it would be possible to do it again. Jo Bazar, Lead CNA Coordinator, [email protected] , [email protected], is the contact. Jo last asked this February what the status was, I said we were still thinking about it, Jo said "ok, keep me informed". |
|
At this point dropping it makes sense |
|
OK, unless someone raises concerns before then, I'll do the cleanup early next week. cc: @nodejs/tsc @nodejs/security @nodejs/security-triage |
|
Should we add that to the TSC agenda? |
|
The only potential risk I see is that technically, not being a CNA means that MITRE (and some other specific CNAs - for instance Airbus) could be free to publish CVEs regarding Node.js. I don't believe there is a high risk however as MITRE asks on maintainer's feedback when acting as a CNA. |
BridgeAR
force-pushed
the
master
branch
2 times, most recently
from
8ae28ff
to
2935f72
Compare
sam-github
added
the
tsc-agenda
|
Conversation has moved to email with Mitre and HackerOne and TSC, trying to clarify what the impact of dropping CNA status would be, if any. Will report back here once its known. |
|
Michael volunteer tell mitre we will no longer be our own CNA. |
mhdawson
removed
the
tsc-agenda
|
Based on the TSC discussion and no objections, I think we can land this while the other actions are being taken in parallel. |
Node.js hasn't touched the cve-management repo since the Feb 2019 security release, we've used the HackerOne CVE allocation process. Maintaining our status as a CNA is not zero cost, there is some routine adminstration that is requested (see this doc for details). As we no longer use the CVE management process, I propose removing it. If this lands, I will go through the interactions with Mitre so that Node.js is no longer a CNA and cleanup related resources (email aliases, archive the cve-management repo, whatever else I find). PR-URL: #33639 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Vladimir de Turckheim <[email protected]> Reviewed-By: Ruben Bridgewater <[email protected]> Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Beth Griggs <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Сковорода Никита Андреевич <[email protected]>
|
Landed in 3f81f2a |
Node.js hasn't touched the cve-management repo since the Feb 2019 security release, we've used the HackerOne CVE allocation process. Maintaining our status as a CNA is not zero cost, there is some routine adminstration that is requested (see this doc for details). As we no longer use the CVE management process, I propose removing it. If this lands, I will go through the interactions with Mitre so that Node.js is no longer a CNA and cleanup related resources (email aliases, archive the cve-management repo, whatever else I find). PR-URL: #33639 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Vladimir de Turckheim <[email protected]> Reviewed-By: Ruben Bridgewater <[email protected]> Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Beth Griggs <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Сковорода Никита Андреевич <[email protected]>
Node.js hasn't touched the cve-management repo since the Feb 2019 security release, we've used the HackerOne CVE allocation process. Maintaining our status as a CNA is not zero cost, there is some routine adminstration that is requested (see this doc for details). As we no longer use the CVE management process, I propose removing it. If this lands, I will go through the interactions with Mitre so that Node.js is no longer a CNA and cleanup related resources (email aliases, archive the cve-management repo, whatever else I find). PR-URL: #33639 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Vladimir de Turckheim <[email protected]> Reviewed-By: Ruben Bridgewater <[email protected]> Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Beth Griggs <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Сковорода Никита Андреевич <[email protected]>
Node.js hasn't touched the cve-management repo since the Feb 2019 security release, we've used the HackerOne CVE allocation process. Maintaining our status as a CNA is not zero cost, there is some routine adminstration that is requested (see this doc for details). As we no longer use the CVE management process, I propose removing it. If this lands, I will go through the interactions with Mitre so that Node.js is no longer a CNA and cleanup related resources (email aliases, archive the cve-management repo, whatever else I find). PR-URL: #33639 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Vladimir de Turckheim <[email protected]> Reviewed-By: Ruben Bridgewater <[email protected]> Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Beth Griggs <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Сковорода Никита Андреевич <[email protected]>
Node.js hasn't touched the cve-management repo since the Feb 2019
security release, we've used the HackerOne CVE allocation process.
Maintaining our status as a CNA is not zero cost, there is some routine
adminstration that is requested (see this doc for details).
As we no longer use the CVE management process, I propose removing it.
If this lands, I will go through the interactions with Mitre so that
Node.js is no longer a CNA and cleanup related resources (email aliases,
archive the cve-management repo, whatever else I find).
Checklist
make -j4 test(UNIX), orvcbuild test(Windows) passes