Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: clarify ownership and times for security reporting #15

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

docs: clarify ownership and times for security reporting #15

wants to merge 4 commits into from

Conversation

UlisesGascon
Copy link
Member

@UlisesGascon UlisesGascon commented Mar 3, 2025
edited
Loading

Closes expressjs/security-wg#54

⚠️ IMPORTANT No merge before expressjs/security-wg#56 has landed

cc: @expressjs/security-wg @expressjs/security-triage @expressjs/express-tc

@UlisesGascon UlisesGascon self-assigned this Mar 3, 2025
@marco-ippolito
Copy link
Member

I don't think its right to set a strict time limit

@ljharb
Copy link

ljharb commented Mar 3, 2025

why not? most security policies for larger projects do (this PR is loosening it from 48 hours to 3 working days)

@marco-ippolito
Copy link
Member

marco-ippolito commented Mar 3, 2025
edited
Loading

Node has

Normally, your report will be acknowledged within 5 days, and you'll receive a more detailed response to your report
within 10 days indicating the next steps in handling your submission. These timelines may extend when our triage 
volunteers are away on holiday, particularly at the end of the year.

I think a detailed response in 3 days is too short and for no reason, I'd follow Node with 10 days

@bjohansebas
Copy link
Member

I agree, a little more time would be great.

RafaelGSS
RafaelGSS reviewed Mar 3, 2025
View reviewed changes
Copy link

@RafaelGSS RafaelGSS left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Considering there's no direct money nor someone 100% of their time dedicated to work on Express. I'd expand this to 30 days.

@ljharb
Copy link

ljharb commented Mar 3, 2025

I'm able to do 24-48 hours on all my projects without any of those things - responding to an email takes 30 seconds. Perhaps a longer time for the detailed triage, but do we really need a long time for the acknowledgement?

@bjohansebas
Copy link
Member

I don't think it should be a long time either, 7 days for the second contact would be fine in my opinion.

bjohansebas
bjohansebas reviewed Mar 4, 2025
View reviewed changes
@UlisesGascon @bjohansebas
Update SECURITY.md
c0c9278 
Co-authored-by: Sebastian Beltran <[email protected]>
UlisesGascon
UlisesGascon commented Mar 4, 2025
View reviewed changes
@wesleytodd
Copy link
Member

wesleytodd commented Mar 4, 2025
edited
Loading

I think for us the main issue has been that we have a triage team but no clear delineation for who will reply and so we raise the issues and then unless someone volunteers it can sit. Like the one I just replied to had been sitting for 7 days because when I posted it to the triage channel I was busy with other things and could not immediately do more than copy the text from my phone into the slack. Obviously we can try to send teh 30 "ack" email, and if we think that is better than fine, but many of these we reply with having done at least an initial investigation. Not saying I am attached to that, just pointing it out because then 7 days makes more sense if we want to just once.

@bjohansebas
Copy link
Member

I actually preferred that an email be sent saying that it was received and then do the relevant investigation, rather than waiting to do part of the investigation before communicating anything to the reporter.

ctcpip
ctcpip requested changes Mar 6, 2025
View reviewed changes
@UlisesGascon UlisesGascon mentioned this pull request Mar 7, 2025
Open
UlisesGascon
UlisesGascon commented Mar 8, 2025
View reviewed changes
SECURITY.md
endeavor to keep you informed of the progress towards a fix and full
announcement, and may ask for additional information or guidance.

> [!NOTE]
> You can find more information about our process in [this guide](https://github.com/expressjs/security-wg/blob/main/docs/handle_security_reports.md)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The link won't work until expressjs/security-wg#56 is merged

@bjohansebas bjohansebas mentioned this pull request Mar 8, 2025
Open
@UlisesGascon UlisesGascon mentioned this pull request Mar 12, 2025
Closed
This was referenced Mar 16, 2025
Closed
Closed
@jonchurch jonchurch mentioned this pull request Mar 31, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wesleytodd wesleytodd wesleytodd approved these changes

@bjohansebas bjohansebas bjohansebas approved these changes

@ljharb ljharb Awaiting requested review from ljharb

@RafaelGSS RafaelGSS Awaiting requested review from RafaelGSS

@ctcpip ctcpip Awaiting requested review from ctcpip

Assignees

@UlisesGascon UlisesGascon

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

adjust the response time for vulnerability report
7 participants
@UlisesGascon @marco-ippolito @ljharb @bjohansebas @wesleytodd @ctcpip @RafaelGSS