nodejs · mhdawson · Oct 25, 2017 · Oct 25, 2017 · Oct 25, 2017 · Oct 27, 2017
diff --git a/processes/cve_management_process.md b/processes/cve_management_process.md
@@ -0,0 +1,125 @@
+# Node.js CVE management process
+
+The Node.js project acts as a [Common Vulnerabilities and Exposures (CVE)
+Numbering Authority (CNA)](https://cve.mitre.org/cve/cna.html).
+The current scope is for all actively developed versions of software
+developed under the Node.js project (ie.  https://github.com/nodejs).
+This means that the Node.js team reviews CVE requests and if appropriate
+assigns CVE numbers to vulnerabilities.  The scope currently **does not**
+include third party modules.
+
+More detailed information about the CNA program is available in
+[CNA_Rules_v1.1](https://cve.mitre.org/cve/cna/CNA_Rules_v1.1.pdf).
+
+# Contacts
+
+As part of the CNA program the Node.js team must provide a number
+of contact points.  Email aliases have been setup for these as follows:
+
+* **Public contact points**. Email address to which people will be directed
+  by Mitre when they are asked for a way to contact the Node.js team about
+  CVE-related issues. **[email protected]**
+
+* **Private contact points**. Administrative contacts that Mitre can reach out
+   to directly in case there are issues that require immediate attention.
+   **[email protected]**
+
+* **Email addresses to add to the CNA email discussion list**. This address has
+   been added to a closed mailing list that is used for announcements,
+   sharing documents, or discussion relevant to the CNA community.
+   The list rarely has more than ten messages a week.
+   **[email protected]** 
+
+# CNA management processes
+
+## CVE Block management
+
+The CNA program allows the Node.js team to request a block of CVEs in
+advance. These CVEs are managed in an issue within the private Node.js
+[security repo](https://github.com/nodejs/security).  Each year there
+will be an issue in that repo titled:
+
+```
+CVE Block for XXXX
+```
+
+where XXXX is the year (for example `CVE Block for 2017`).
+
+This issue will have the following sections:
+
+* Available
+* Pending
+* Announced 
+
+
+When a new block of CVEs is received from Mitre they will be listed under
+the `Available` secion. 
+
+These CVEs will be moved from the Available to Pending and Announced
+as outlined in the section titled `CVE Management process`. 
+
+In addition, when moving a CVE from Available such that there are less
+than two remaining CVEs a new block must be requested as follows:
+
+
+* Use the Mitre request form https://cveform.mitre.org/ with the 
+  option `Request a Block of CVEs to request a new block`.
+* The new block will be sent to the requestor through email.
+* Once the new block has been received, the requestor will add them
+  to the Available list.
+
+**Note**:  When making any changes in the issue, first add a comment
+indicating the change being made.
+
+
+## External CVE request process
+
+When a request for a CVE is received via the [email protected]
+email alias the following process will be followed (likely updated
+after we get HackerOne up and running).
+
+* Respond to the requestor indicating that we have the request
+  and will review soon.
+* Open an issue in the security repo for the request.
+* Review the request.
+  * If a CVE is appropriate then assign the
+    CVE as outline in the section titled
+    [CVE Management process for Node.js vulnerabilities](CVE-Management-process-for-Node.js-vulnerabilities)
+    and return the CVE number to the requestor (along with the request
+    to keep it confidential until the vulnerability is announced)
+  * If a CVE is not appropriate then respond to the requestor
+    with the details as to why.
+
+## Quarterly reporting
+
+* There is a requirement for quarterly reports to Mitre on CVE
+  activity.  Not sure of the specific requirements yet.  Will
+  add details on process once we've done the first one.
+
+
+# CVE Management process for Node.js vulnerabilities
+
+When the Node.js team is going announce a new vulnerability the
+following steps are used to to assign, announce and report a CVE.
+
+* Select the next CVE in the block available from the CNA process as
+  outlined in the section above. 
+* Move the CVE from the unassigned block, to the Pending section along
+  with a link to the issue in the security repo that is being used
+  to discuss the vulnerability.
+* As part of the
+  [security announcement process](https://github.com/nodejs/security-wg/blob/master/processes/security_annoucement_process.md)
+  in the issue in the security issue being used to discuss the
+  vulnerability, associate the CVE to that vulnerability. This is most
+  commonly done by including it is the draft for the announcement that
+  will go out once the associated security releases are availble.
+* Once the security announcement goes out:
+  * Use the [Mitre form](https://cveform.mitre.org/) to report the
+    CVE details to Mitre using the `Notify CVE about a publication`. The
+    link to the advisory will be the for the blog announcing that security
+    releases are available.  The description should be a subset of the
+    details in that blog.
+  * Move the CVE from the Pending section to the Announced section along
+    with a link to the Node.js blog post announcing that releases
+    are availble.
+