From c9b7fcbdb82440a2451c8d2b7cdb7554fd24ac84 Mon Sep 17 00:00:00 2001 From: Sergey Chernyshev Date: Thu, 25 Apr 2024 04:20:25 +0200 Subject: [PATCH] doc: add h1 summary to security release process PR-URL: https://github.com/nodejs/node/pull/49112 Reviewed-By: Moshe Atlow Reviewed-By: Matteo Collina Reviewed-By: Michael Dawson --- graal-nodejs/doc/contributing/security-release-process.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/graal-nodejs/doc/contributing/security-release-process.md b/graal-nodejs/doc/contributing/security-release-process.md index 7488c1b24c8..04505b648a8 100644 --- a/graal-nodejs/doc/contributing/security-release-process.md +++ b/graal-nodejs/doc/contributing/security-release-process.md @@ -56,6 +56,8 @@ The current security stewards are documented in the main Node.js * [ ] pre-release: _**LINK TO PR**_ * [ ] post-release: _**LINK TO PR**_ * List vulnerabilities in order of descending severity + * Use the "summary" feature in HackerOne to sync post-release content + and CVE requests. Example [2038134](https://hackerone.com/bugs?subject=nodejs\&report_id=2038134) * Ask the HackerOne reporter if they would like to be credited on the security release blog page: ```text @@ -81,6 +83,9 @@ The current security stewards are documented in the main Node.js between Security Releases. * Pass `make test` * Have CVEs + * Use the "summary" feature in HackerOne to create a description for the + CVE and the post release announcement. + Example [2038134](https://hackerone.com/bugs?subject=nodejs\&report_id=2038134) * Make sure that dependent libraries have CVEs for their issues. We should only create CVEs for vulnerabilities in Node.js itself. This is to avoid having duplicate CVEs for the same vulnerability.