From 692c1628126008db3ef47074305e120bae635719 Mon Sep 17 00:00:00 2001 From: warnerp18 Date: Thu, 1 Nov 2018 21:24:54 -0700 Subject: [PATCH 1/2] doc: add SECURITY.md to readme.md This adds a SECURITY.md file and links to the security document per the request of @https://github.com/Trott at a recent SF Node meetup. --- README.md | 38 +------------------------------------- SECURITY.md | 37 +++++++++++++++++++++++++++++++++++++ 2 files changed, 38 insertions(+), 37 deletions(-) create mode 100644 SECURITY.md diff --git a/README.md b/README.md index 671e5321450c7e..abe565e53c6d9b 100644 --- a/README.md +++ b/README.md @@ -159,43 +159,7 @@ source and a list of supported platforms. ## Security -If you find a security vulnerability in Node.js, please report it to -security@nodejs.org. Please withhold public disclosure until after the security -team has addressed the vulnerability. - -The security team will acknowledge your email within 24 hours. You will receive -a more detailed response within 48 hours. - -There are no hard and fast rules to determine if a bug is worth reporting as a -security issue. Here are some examples of past issues and what the Security -Response Team thinks of them. When in doubt, please do send us a report -nonetheless. - - -### Public disclosure preferred - -- [#14519](https://github.com/nodejs/node/issues/14519): _Internal domain - function can be used to cause segfaults_. Requires the ability to execute - arbitrary JavaScript code. That is already the highest level of privilege - possible. - -### Private disclosure preferred - -- [CVE-2016-7099](https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/): - _Fix invalid wildcard certificate validation check_. This was a high-severity - defect. It caused Node.js TLS clients to accept invalid wildcard certificates. - -- [#5507](https://github.com/nodejs/node/pull/5507): _Fix a defect that makes - the CacheBleed Attack possible_. Many, though not all, OpenSSL vulnerabilities - in the TLS/SSL protocols also affect Node.js. - -- [CVE-2016-2216](https://nodejs.org/en/blog/vulnerability/february-2016-security-releases/): - _Fix defects in HTTP header parsing for requests and responses that can allow - response splitting_. This was a remotely-exploitable defect in the Node.js - HTTP implementation. - -When in doubt, please do send us a report. - +For information about security of the Node.js project, see [Seucrity.md](https://github.com/nodejs/node/blob/master/SECURITY.md). ## Current Project Team Members diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000000000..47bc1129c31e10 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,37 @@ +# Security +If you find a security vulnerability in Node.js, please report it to +security@nodejs.org. Please withhold public disclosure until after the security +team has addressed the vulnerability. + +The security team will acknowledge your email within 24 hours. You will receive +a more detailed response within 48 hours. + +There are no hard and fast rules to determine if a bug is worth reporting as a +security issue. Here are some examples of past issues and what the Security +Response Team thinks of them. When in doubt, please do send us a report +nonetheless. + + +## Public disclosure preferred + +- [#14519](https://github.com/nodejs/node/issues/14519): _Internal domain + function can be used to cause segfaults_. Requires the ability to execute + arbitrary JavaScript code. That is already the highest level of privilege + possible. + +## Private disclosure preferred + +- [CVE-2016-7099](https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/): + _Fix invalid wildcard certificate validation check_. This was a high-severity + defect. It caused Node.js TLS clients to accept invalid wildcard certificates. + +- [#5507](https://github.com/nodejs/node/pull/5507): _Fix a defect that makes + the CacheBleed Attack possible_. Many, though not all, OpenSSL vulnerabilities + in the TLS/SSL protocols also affect Node.js. + +- [CVE-2016-2216](https://nodejs.org/en/blog/vulnerability/february-2016-security-releases/): + _Fix defects in HTTP header parsing for requests and responses that can allow + response splitting_. This was a remotely-exploitable defect in the Node.js + HTTP implementation. + +When in doubt, please do send us a report. From f9f721239a99f372f788dc8e7f35d06cb62dbe43 Mon Sep 17 00:00:00 2001 From: warnerp18 Date: Fri, 2 Nov 2018 10:20:59 -0700 Subject: [PATCH 2/2] updates gramar on readme and removes extra line in SECURITY.md --- README.md | 3 ++- SECURITY.md | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index abe565e53c6d9b..a4a93612c1036d 100644 --- a/README.md +++ b/README.md @@ -159,7 +159,8 @@ source and a list of supported platforms. ## Security -For information about security of the Node.js project, see [Seucrity.md](https://github.com/nodejs/node/blob/master/SECURITY.md). +For information on reporting security vulnerabilities in Node.js, see +[SECURITY.md](./SECURITY.md). ## Current Project Team Members diff --git a/SECURITY.md b/SECURITY.md index 47bc1129c31e10..5f1e3e2cc7d563 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,4 +1,5 @@ # Security + If you find a security vulnerability in Node.js, please report it to security@nodejs.org. Please withhold public disclosure until after the security team has addressed the vulnerability. @@ -11,7 +12,6 @@ security issue. Here are some examples of past issues and what the Security Response Team thinks of them. When in doubt, please do send us a report nonetheless. - ## Public disclosure preferred - [#14519](https://github.com/nodejs/node/issues/14519): _Internal domain