Please take down HackerOne report 504931

[dougwilson]

Link: https://hackerone.com/reports/504931

This report was disclosed publicly with a severity of "none". This has caused confusion amongst security vendors (specific examples are npm security and SourceClear at the time of this writing), as they believe that anything disclosed is a vulnerability. They don't seem to understand the nuance of "Severity: none".

I would ask if the Security-WG could take the report down for the time being, at the very least because the underlying issue was reported to the source maintainer without any mention of it being a security vulnerability, a generic timeline was provided when asked when it would be fixed, and then the HackerOne report was just randomly disclosed without any regard to coordination with the maintainer.

At no time during the HackerOne report process was the existence of the HackerOne report made aware to the maintainer, the maintainer was never invited to participate in the report, and the report itself is very vague and the description imo leaves a lot to be desired. All of which could have been worked out if the maintainer was even invited to the report. This seems to be a step outlined here: https://github.com/nodejs/security-wg/blob/master/processes/third_party_vuln_process.md#correction-follow-up :

they contact the maintainers of the vulnerable package to make them aware of the vulnerability. The maintainers can be invited as participants to the reported issue.

With the package maintainer, they define a release date for the publication of the vulnerability. Ideally, this release date should not happen before the package has been patched.

I would like to understand as well what happened in this case and why these parts were skipped and how it will be corrected in the future to prevent subjecting maintainers to this.

[vdeturckheim]

@dougwilson I have asked HackerOne to un-publish the report as this is not I can do directly.

We are having internal discussions right now about this issue and I hope we could soon take them public.

Also, as of today, the management system of the HackerOne bug bounty program for Node.js ecosystem will change and be handled by HackerOne more deeply. This should help us achieve better quality in the future.

@dougwilson I know this is not much but I am personally really sorry about this issue. Our goal is to avoid such situations.

[sam-github]

@vdeturckheim who did you contact?

[vdeturckheim]

@sam-github I asked @reedloden through a private comment on the report.

[sam-github]

OK, thanks. Its quite private, I can't see that comment even when I'm logged in.

[reedloden]

I'm getting this handled shortly.

[ronperris]

@dougwilson

Sent an email to SourceClear to have the report removed or risk score reduce to 0.

Will update when any progress is made.

[ronperris]

@dougwilson

Got a reply from SourceClear.

So we pull our data from the NPM site. If the NPM site shows what you speak of, then please send me a link to the vuln on that site. Then I can ask our engineers to fix the discrepancy. https://www.npmjs.com/

Still working with them to get it removed.

[ronperris]

The HackerOne report is no longer public.

The SourceClear and NPM advisories with incorrect risk scores were removed.

The security mechanism that was reported on in the, now hidden, HackerOne report was updated.

A new version of finalhandler was released that included the change I proposed in the HackerOne report.

A new version of Express was released that included the new version of finalhandler.