doc: TSC has responsibility for Node.js security

[sam-github]

The Ecosystem Security WG remains responsible for Ecosystem/thirdparty
packages.

Node.js maintenance processes related to security join the other
maintainance process documentation in:

• https://github.com/nodejs/node/tree/master/doc/guides

TSC documentation about Security Team membership and responsibility
joins the other TSC-specific docs in:

• https://github.com/nodejs/TSC

---

As a result of informal discussions with various stake holders in the Node.js TSC and the Security WG, I'm proposing that we modify the Security WG charter.

As is, responsibility for triaging, fixing, and releasing fixes for security vulnerabilities in Node.js has always rested with the TSC (or been delegated to a subset of the TSC). However, responsibility for the processes involved has theoretically rested with the Security WG. I propose that the people responsible for executing the processes also be responsible for maintaining them, to avoid this situation of "joint responsibility".

I think this will help the TSC and the community at large, by making it clear that a single set of people, the Node.js TSC, is responsible for Node.js security.

For the Security WG, I think this is also a useful clarification of purpose. The Security WG spends a majority of its time dealing with security in the "ecosystem", namely, the npmjs.com package registry. The registry holds mostly javascript packages (or derived languages, like typescript), but those packages are not all Node.js packages, a growing number of them are Browser specific. At the same time, as the Node.js Foundation and Javascript foundation have merged, there are a number of "foundation" projects that are Javascript, but not Node.js. There is interest in collaborating across the foundation on security reporting, triage, etc. (see openjs-foundation/cross-project-council#326). I think by freeing the Security WG from the very Node.js core specific maintenance, it allows it to focus more clearly on the Ecosystem.

Of course, as individuals, everyone can follow their interest, anyone in Node.js or Ecosystem security is free and welcome to participate in both the Node.js project, the Ecosystem Security project, or anywhere else they want!

At this point, this is a proposal that needs to be ratified by the Node.js TSC, which holds responsibility for giving the Security WG its charter, and (I think) is responsible for changing it if it wants.

Of course, if the Security WG became a top-level project of the Open JS foundation, it wouldn't be the TSC's job to maintain the charter anymore :-), but that's a different conversation for the Ecosystem Sec wg to have unrelated to Node.js and the TSC, I'm not even sure if anyone is considering that at the moment.

The deleted content here would move to other repos, I'll open PRs on nodejs/TSC and nodejs/node, but they are draft until people weigh in on this PR here.

[sam-github]

@nodejs/TSC

[Trott]

@nodejs/TSC

GitHub quirk: You can't capitalize the team name. :-(

/ping @nodejs/tsc

[Trott]

Not prepared yet to comment on the specific changes here, but +1 to changing the name of this working group. Love the group and appreciate the work they do, but I have never thought it was a good idea to give it the name "Security Working Group" as it would inevitably be confusing.

[vdeturckheim]

This seems like a good move to me! Will review th PR today.

[MarcinHoppe]

I am in favor of the change and adjusting the name of this group to make it clearer that the charter of this group is not about the Node.js runtime, but the entire ecosystem around it. Today we are mostly dealing with triaging vulnerabilities in packages hosted on npm, but while we are refreshing the charter, we could include other things like fostering responsible disclosure standards (see threads with OpenJS Foundation and with Package Maintenance WG) and general security best practices for apps and libraries running on Node.js.

[mhdawson]

LGTM