You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi folks, as part of Node.js Security initiative we have created a table of access per group based on available roles under Node.js org. We'd like to get some feedback/review. Feel free to edit the table if you think something is wrong (I can read the history and update our hackmd table).
The idea is to have a table of permissions and then look at the threats each role has and its impact on the nodejs organization.
While some teams can have access to a resource, like the secrets, they might have different access level internally based on sub-groups.
Some individuals and team have access such write in different GitHub repositories in the org, like Working groups or subteams.
Note
¹ - All repositories with code that get published or has some impact on nodejs/core
² - Releasers has access to run CI during CI Embargo (Security Release)
Resource
External people
Contributors - Core/Triagers/WG
Build - Test/Infra/Admin
Admin - TSC/Releasers/Moderation
Security Stewards/Triagers/External
GitHub - Actions/Plugins
HackerOne
-
---
---
aw-
www
--
MITRE
-
---
---
a--
w--
--
private/node-private
-
---
www
aw-
w-w
--
private/security-release
-
---
---
a--
ww-
--
private/secrets
-
---
www
a--
---
--
nodejs/node
r
wrr
rrw
awa
rrr
wr
nodejs/deps¹
r
rrr
rrw
arr
rrr
wr
nodejs/build (GH)
r
rrr
rrw
awa
rrr
wr
nodejs/node-core-utils
r
rrr
rrw
awa
rrr
wr
npm account
-
-
-a-
a--
---
--
Jenkins CI - test
r
ww-
wwa
-w²-
---
ww
Jenkins CI - release
-
---
-ww
-w-
---
--
Infra - test
-
w--
aaa
ww-
-w-
ww
Infra - release
-
---
-ww
-w-
---
--
Build infra
-
---
-a-
---
---
--
Website Infra
-
---
-a-
a--
---
--
Youtube
-
--w
---
a--
---
--
Zoom
r
rrw
---
a--
---
--
1Password
-
--r
---
a--
---
--
Social media accounts
-
---
---
---
---
--
Email (nodejs-sec)
r
rrr
rrr
awr
wrr
rr
Email (io.js aliases)
r
---
-a-
w--
---
--
Repos under nodejs which do not include code, are not covered as they cannot lead to the threats listed.
pkgjs.org is excluded as it does not include code/repos that make it into Node.js binaries
Hi folks, as part of Node.js Security initiative we have created a table of access per group based on available roles under Node.js org. We'd like to get some feedback/review. Feel free to edit the table if you think something is wrong (I can read the history and update our hackmd table).
The idea is to have a table of permissions and then look at the threats each role has and its impact on the nodejs organization.
Access per Group
Levels: (
-) none, (r) read, (w) write, (a) admin/owner (inspiration from https://mason.gmu.edu/~montecin/UNIXpermiss.htm)Additional notes:
secrets, they might have different access level internally based on sub-groups.Note
¹ - All repositories with code that get published or has some impact on nodejs/core
² - Releasers has access to run CI during CI Embargo (Security Release)
Repos under nodejs which do not include code, are not covered as they cannot lead to the threats listed.
pkgjs.org is excluded as it does not include code/repos that make it into Node.js binaries