You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: doc/contributing/security-release-process.md
+5Lines changed: 5 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -56,6 +56,8 @@ The current security stewards are documented in the main Node.js
56
56
*[ ] pre-release: _**LINK TO PR**_
57
57
*[ ] post-release: _**LINK TO PR**_
58
58
* List vulnerabilities in order of descending severity
59
+
* Use the "summary" feature in HackerOne to sync post-release content
60
+
and CVE requests. Example [2038134](https://hackerone.com/bugs?subject=nodejs\&report_id=2038134)
59
61
* Ask the HackerOne reporter if they would like to be credited on the
60
62
security release blog page:
61
63
```text
@@ -81,6 +83,9 @@ The current security stewards are documented in the main Node.js
81
83
between Security Releases.
82
84
* Pass `make test`
83
85
* Have CVEs
86
+
* Use the "summary" feature in HackerOne to create a description for the
87
+
CVE and the post release announcement.
88
+
Example [2038134](https://hackerone.com/bugs?subject=nodejs\&report_id=2038134)
84
89
* Make sure that dependent libraries have CVEs for their issues. We should
85
90
only create CVEs for vulnerabilities in Node.js itself. This is to avoid
0 commit comments