Security WG meeting 2017-10-12

[vdeturckheim]

When

Thursday, Aug 12th, 2017, 20:00 UTC: other timezones

Where

• Call URL, for participants: https://hangouts.google.com/hangouts/_/jyz5dlubsnh4vjajxajcwmgoeae
• Youtube stream, for viewers: https://www.youtube.com/watch?v=iN366--sK0M
• Minutes document: https://docs.google.com/document/d/1-E8tuIdvkS5x1SNYf8TtLRPG0Zi5O7puMrFILyoC8uY/edit?usp=sharing

Agenda

• threat model for Node.js (Threat model #51)
• add Daniel Kluss (I would like to join #50)
• Have node become a CNA, so it can issue its own CVEs (CVE management process for Node.js #33)
• Review WG notes, and develop plans/action items/TODO lists to do the things we want. Security WG Informal Meetings at NINA 2017 #53
• ... (anyone is free to edit in more to the agenda, or comment below)

[evilpacket]

Would be good to recap quickly some of the discussion that happened at Node Interactive security dinner and raise those items for group commentary.

Things I remember discussing not already on the agenda

• Committing to HackerOne for core & community (modules) reporting of vulnerabilities
• Defining who can see what during the process
• Documenting in detail the process for vulnerability ingesting, triage, management and disclosure,
  ISO 29147 [zip]

Some additional evidence with regard to HackerOne in the form of compliance with the ISO 29147 / ISO 30111

[joshbw]

I can't make it today, but for "Have node become a CNA, so it can issue its own CVEs" one discussion point is whether it makes sense to make that effort ourselves, or simply use HackerOne (which is a CNA) to issue CVEs

[sam-github]

I'll setup the call info in 20 minutes, doing it late makes the hangouts work better.

[sam-github]

I posted the call URL: https://hangouts.google.com/hangouts/_/jyz5dlubsnh4vjajxajcwmgoeae

The call starts in one hour, the Node.js calendar is wrong, I'll see if I can change it (I think I was given permission).

[sam-github]

@Trott I think you tried to give me edit permission on the Node.js Foundation calendar, but I can't move the sec-wg meeting time to the correct one (an hour from now, 1pm PST).

Can you try again? Or did I miss an invite email I had to accept? Not really sure how it works.

Or @mhdawson or @MylesBorins , do either of you have the power to give me edit access to the foundation calendar? Michael, can you sync up the calendar time with the correct time for this meeting?

[Trott]

@Trott I think you tried to give me edit permission on the Node.js Foundation calendar, but I can't move the sec-wg meeting time to the correct one (an hour from now, 1pm PST).

No, wasn't me. Maybe @williamkapke?

I moved the meeting time to 1PM PDT.

[williamkapke]

RE: Calendar Access:
https://github.com/nodejs/admin#nodejs-foundation-calendar

[sam-github]

reminder: meeting starting in a couple minutes @nodejs/security-wg