Where to report non-core nodejs security bugs?

[rcowsill]

The HackerOne nodejs program appears to only cover security bugs in Node.js core. When creating a new H1 report the only option for "Asset" is https://github.com/nodejs/node.

Besides core, there are a range of other assets controlled by the Node.js organization: websites, build pipelines and associated infrastructure, for example.

What's the right channel for responsible disclosure of issues in those non-core areas?

[DanielRuf]

It depends, most repos should have a SECURITY.md file like https://github.com/nodejs/docker-node/blob/main/SECURITY.md

[rcowsill]

I can only find three SECURITY.md files across the 120 source repos in the nodejs org:

• https://github.com/nodejs/node/blob/master/SECURITY.md
• https://github.com/nodejs/node-gyp/blob/master/SECURITY.md
• https://github.com/nodejs/docker-node/blob/main/SECURITY.md

There are a lot of repos which don't need a policy (eg working groups), but what about repos like:

• https://github.com/nodejs/nodejs.org
• https://github.com/nodejs/undici
• https://github.com/nodejs/nodejs.dev

If there's no listed policy, is it acceptable to report security bugs using issues and submit a PR?

[mcollina]

Never use issues. All repositories in the Node.js github org are in scope for the HackerOne Node.js project.

[Trott]

Never use issues. All repositories in the Node.js github org are in scope for the HackerOne Node.js project.

If I understood @bnb correctly from a conversation we had earlier today, if we put a SECURITY.md file into a repository named .github, then it will show up in the GitHub web interface for all repositories. However, it won't be in the actual checked out code for the repositories. But that might be a good way to get the "HackerOne covers every repository in the org" info out where people will look for it if they are trying to report a bug in undici or nodejs.org or something.

[rcowsill]

Yes, according to this page:

https://docs.github.com/en/communities/setting-up-your-project-for-healthy-contributions/creating-a-default-community-health-file

I think that would be a good solution. It could redirect to the main security policy (or H1), and reinforce the message to never report via issues.

[mhdawson]

PR to add SECURITY.md to the .github repo - https://github.com/nodejs/.github/pull/5

[mhdawson]

The PR landed so closing this now - https://github.com/nodejs/.github/pull/5. Please let us know if that was not the right thing to do.