Skip to content

Latest commit

 

History

History
54 lines (34 loc) · 2.26 KB

security-support-role.md

File metadata and controls

54 lines (34 loc) · 2.26 KB

Security Support Role 2024

The following list, sorted by priority, details what OpenSSF seeks from the partnership.

1) Fix and Triage Security Issues

One of the primary challenges in fixing and triaging security issues is the response time. Delays in identifying and addressing vulnerabilities can lead to prolonged exposure to risks. Additionally, resource allocation is a significant pain point, as there is often insufficient people time or expertise to effectively manage and resolve security issues.

This section aims to provide all necessary support to triage and fix security reports through HackerOne.

2) Support & Automation of Security Releases

In supporting and automating security releases, a major pain point is the people time it requires to prepare security releases to the day of the release. Usually, it requires:

  • 1 Security Release Steward - Resposible to coordinate the security release with releasers.
  • 1 Releaser for each active release line, for instance:
    • 1 Releaser to Node.js v18.x
    • 1 Releaser to Node.js v20.x
    • 1 Releaser to Node.js v22.x

It increases the risk of errors and slows down the release cycles.

This section aims to reduce most (if not all) of human work in order to make releases happen more faster and securely.

3) Node.js Security Team Initiatives

2024 Security Initiatives - https://github.com/nodejs/security-wg#current-initiatives

Activities of this section includes:

Making the Security team active, running meetings regularly

Keeping the security team active and running meetings regularly is crucial, but maintaining regular participation and engagement from team members is challenging. Therefore, having a healthy team is a must.

Making progress on the initiatives selected by the Node.js Security team

Every year the Security team select some initaitives to work on along of the year. Some initiatives are realized in parallel (with someone championing it) and other ones are executed all together during our meetings.

Projecting future initiatives to make the team sustainable

Developing a long-term strategy that aligns with evolving security needs as well as ensuring the Node.js project aligns with security Best Practices across all project contributors.

4) Node.js Security Sustainability

// TODO