diff options
author | Rafael Gonzaga <rafael.nunu@hotmail.com> | 2022-10-02 20:41:48 +0300 |
---|---|---|
committer | Danielle Adams <adamzdanielle@gmail.com> | 2022-10-05 13:54:19 +0300 |
commit | 6ae9bc8fbce4aa98ca70d48b71b463770da48757 (patch) | |
tree | 394e7c8c8f394ec4dc7f21fffc98e09d98550000 /doc | |
parent | 8dacedaa3de99daf6b481413027cb0556c282fb5 (diff) |
doc: add extra step for reporter pre-approval
As discussed in the #security-triagge (OpenJS channel).
To avoid insufficient CVE fixes across Security Release,
might make sense to request a reporter pre-approval.
PR-URL: https://github.com/nodejs/node/pull/44806
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/contributing/security-release-process.md | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/doc/contributing/security-release-process.md b/doc/contributing/security-release-process.md index f50c16f4b2e..468f9ad4e51 100644 --- a/doc/contributing/security-release-process.md +++ b/doc/contributing/security-release-process.md @@ -44,6 +44,8 @@ The current security stewards are documented in the main Node.js the date in the slug so that it will move to the top of the blog list.) * (Consider using a [Vulnerability Score System](https://www.first.org/cvss/calculator/3.1) to identify severity of each report) + * Share the patch with the reporter when applicable. + It will increase the fix accuracy. * [ ] pre-release: _**LINK TO PR**_ * [ ] post-release: _**LINK TO PR**_ * List vulnerabilities in order of descending severity @@ -66,6 +68,10 @@ The current security stewards are documented in the main Node.js * [ ] Check that all vulnerabilities are ready for release integration: * PRs against all affected release lines or cherry-pick clean * Approved + * (optional) Approved by the reporter + * Build and send the binary to the reporter according to its architecture + and ask for a review. This step is important to avoid insufficient fixes + between Security Releases. * Pass `make test` * Have CVEs * Make sure that dependent libraries have CVEs for their issues. We should |