Open RedYetiDev opened 1 week ago
tniessen
commented
1 week ago I assume this issue was opened in good faith but it seems misguided.
This security team is not responsible for handling reports of security vulnerabilities, and in fact should not have access to reported vulnerabilities.
RedYetiDev
commented
1 week ago What about premature disclosures, isn't that the security team's jurisdiction? (Like moving them to the right repository)
tniessen
commented
1 week ago Are you suggesting to repurpose the email alias from reporting vulnerabilities to allowing people to privately communicate with the security team? The security team doesn't have access to H1 reports and wouldn't be able to answer questions about their status. In any case, it'd seem safer to create a new list or alias for that.
RedYetiDev
commented
1 week ago it'd seem safer to create a new list or alias for that.
Sounds good to me, I'm suggesting an email alias in general, doesn't have to be the one I mentioned in my issue.
Currently, the alias security@nodejs.org forwards to nodejs-79566c66a30b0312@forwarding.hackerone.com, which will open a HackerOne report. I recommend updating this alias to forward messages to all members of the security team, similar to how other aliases function.
One enhancement is that when security emails not warranting a report are received, individual members can respond rather than a hackerone report being made. (And when a report is needed, members can still create it)
Another enhancement is that individuals with specific concerns are able directly contact the entire security team. For instance, triagers could inform the team about premature disclosures more effectively, and users could inquire about their own premature disclosures if needed.