doc: no longer maintain a CNA structure#33639
Uh oh!
There was an error while loading. Please reload this page.
Conversation
Node.js hasn't touched the cve-management repo since the Feb 2019 security release, we've used the HackerOne CVE allocation process. Maintaining our status as a CNA is not zero cost, there is some routine adminstration that is requested (see this doc for details). As we no longer use the CVE management process, I propose removing it. If this lands, I will go through the interactions with Mitre so that Node.js is no longer a CNA and cleanup related resources (email aliases, archive the cve-management repo, whatever else I find).
sam-github commented May 29, 2020
@jasnell I couldn't find the issue where I last brought this up in, but IIRC correctly you wanted to keep the CNA status around a bit longer, just in case we needed it. I'm just trying to remove as much adminstrative overhead as possible, if people still want to maintain this, that's OK, but I haven't seen it being used. And of course, if for some reason we decide to stop using HackerOne for any kind of reason, becoming a CNA was pretty easy, it would be possible to do it again. Jo Bazar, Lead CNA Coordinator, [email protected] , [email protected], is the contact. Jo last asked this February what the status was, I said we were still thinking about it, Jo said "ok, keep me informed". |
jasnell commented May 29, 2020
At this point dropping it makes sense |
sam-github commented May 29, 2020
OK, unless someone raises concerns before then, I'll do the cleanup early next week. cc: @nodejs/tsc @nodejs/security @nodejs/security-triage |
BridgeAR commented May 30, 2020
Should we add that to the TSC agenda? |
vdeturckheim commented May 30, 2020
The only potential risk I see is that technically, not being a CNA means that MITRE (and some other specific CNAs - for instance Airbus) could be free to publish CVEs regarding Node.js. I don't believe there is a high risk however as MITRE asks on maintainer's feedback when acting as a CNA. |
BridgeARforce-pushed the master branch 2 times, most recently from 8ae28ff to 2935f72Compare
sam-github added the tsc-agenda sam-github commented Jun 2, 2020
Conversation has moved to email with Mitre and HackerOne and TSC, trying to clarify what the impact of dropping CNA status would be, if any. Will report back here once its known. |
mhdawson commented Jul 2, 2020
Michael volunteer tell mitre we will no longer be our own CNA. |
mhdawson removed the tsc-agenda 
jasnell commented Jul 3, 2020
Based on the TSC discussion and no objections, I think we can land this while the other actions are being taken in parallel. |
Node.js hasn't touched the cve-management repo since the Feb 2019 security release, we've used the HackerOne CVE allocation process. Maintaining our status as a CNA is not zero cost, there is some routine adminstration that is requested (see this doc for details). As we no longer use the CVE management process, I propose removing it. If this lands, I will go through the interactions with Mitre so that Node.js is no longer a CNA and cleanup related resources (email aliases, archive the cve-management repo, whatever else I find). PR-URL: #33639 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Vladimir de Turckheim <[email protected]> Reviewed-By: Ruben Bridgewater <[email protected]> Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Beth Griggs <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Сковорода Никита Андреевич <[email protected]>
jasnell commented Jul 3, 2020
Landed in 3f81f2a |
Node.js hasn't touched the cve-management repo since the Feb 2019 security release, we've used the HackerOne CVE allocation process. Maintaining our status as a CNA is not zero cost, there is some routine adminstration that is requested (see this doc for details). As we no longer use the CVE management process, I propose removing it. If this lands, I will go through the interactions with Mitre so that Node.js is no longer a CNA and cleanup related resources (email aliases, archive the cve-management repo, whatever else I find). PR-URL: #33639 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Vladimir de Turckheim <[email protected]> Reviewed-By: Ruben Bridgewater <[email protected]> Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Beth Griggs <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Сковорода Никита Андреевич <[email protected]>
Node.js hasn't touched the cve-management repo since the Feb 2019 security release, we've used the HackerOne CVE allocation process. Maintaining our status as a CNA is not zero cost, there is some routine adminstration that is requested (see this doc for details). As we no longer use the CVE management process, I propose removing it. If this lands, I will go through the interactions with Mitre so that Node.js is no longer a CNA and cleanup related resources (email aliases, archive the cve-management repo, whatever else I find). PR-URL: #33639 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Vladimir de Turckheim <[email protected]> Reviewed-By: Ruben Bridgewater <[email protected]> Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Beth Griggs <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Сковорода Никита Андреевич <[email protected]>
Node.js hasn't touched the cve-management repo since the Feb 2019 security release, we've used the HackerOne CVE allocation process. Maintaining our status as a CNA is not zero cost, there is some routine adminstration that is requested (see this doc for details). As we no longer use the CVE management process, I propose removing it. If this lands, I will go through the interactions with Mitre so that Node.js is no longer a CNA and cleanup related resources (email aliases, archive the cve-management repo, whatever else I find). PR-URL: #33639 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Vladimir de Turckheim <[email protected]> Reviewed-By: Ruben Bridgewater <[email protected]> Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Beth Griggs <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Сковорода Никита Андреевич <[email protected]>
9 participants
Node.js hasn't touched the cve-management repo since the Feb 2019
security release, we've used the HackerOne CVE allocation process.
Maintaining our status as a CNA is not zero cost, there is some routine
adminstration that is requested (see this doc for details).
As we no longer use the CVE management process, I propose removing it.
If this lands, I will go through the interactions with Mitre so that
Node.js is no longer a CNA and cleanup related resources (email aliases,
archive the cve-management repo, whatever else I find).
Checklist
make -j4 test(UNIX), orvcbuild test(Windows) passes