doc: add process for handling premature disclosure

mhdawson · danielleadams · commit 0401ffbfb643 · 2020-12-07T13:55:12.000-05:00
Add process for handling premature disclosure of a security vulnerability in the public repos. Signed-off-by: Michael Dawson <mdawson@devrus.com> PR-URL: #36155 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Mary Marchini <oss@mmarchini.me> Reviewed-By: Rich Trott <rtrott@gmail.com>
diff --git a/doc/guides/collaborator-guide.md b/doc/guides/collaborator-guide.md
@@ -7,6 +7,7 @@
   * [Closing issues and pull requests](#closing-issues-and-pull-requests)
   * [Author ready pull requests](#author-ready-pull-requests)
   * [Handling own pull requests](#handling-own-pull-requests)
+  * [Security issues](#managing-security-issues)
 * [Accepting modifications](#accepting-modifications)
   * [Code reviews](#code-reviews)
   * [Consensus seeking](#consensus-seeking)
@@ -87,6 +88,34 @@ to land but is [author ready](#author-ready-pull-requests), add the
 `author ready` label. If you wish to land the pull request yourself, use the
 "assign yourself" link to self-assign it.
 
+### Managing security issues
+
+Security issues should ideally be reported through the processes outlined in
+[SECURITY.md][security reporting]. This allows the collaborators to
+appropriately triage the report and address vulnerabilities in a planned
+security release. If an issue is opened in the public repo
+which describes a security issue, or if an issue is later identified to be
+describing a security issue, take the following steps:
+
+* Ask the originator to submit a report through Hacker one as outlined in
+  [SECURITY.md][security reporting].
+* Move the issue to the private repo called
+  [premature-disclosures](https://github.com/nodejs/premature-disclosures).
+* For any related pull requests create an associated issue in the
+  `premature-disclosures` repo and add a copy of the patch for the
+  pull request, and screenshots of discussion on the PR to the issue.
+* Open a ticket with GitHub asking that the PRs be deleted through
+  [GitHub suppport](https://support.github.com/contact)
+  using Node.js(team) as the account organization.
+* Open a new issue in the repository in which the issue was originally
+  reported with a brief FYI to the originator. `FYI @xxxx we asked github
+  to delete your PR while we work on releases in private.` with the title
+  `FYI - PR deleted #YYYY`.
+* Email `tsc@iojs.org` with the link to the issues in the
+  `premature-disclosures` repo so that the TSC is aware that they
+  may need to expedite handling of the issue due to premature
+  disclosure.
+
 ## Accepting modifications
 
 Contributors propose modifications to Node.js using GitHub pull requests. This
@@ -791,4 +820,5 @@ If you cannot find who to cc for a file, `git shortlog -n -s <file>` can help.
 [git-username]: https://help.github.com/articles/setting-your-username-in-git/
 [node-core-utils-credentials]: https://github.com/nodejs/node-core-utils#setting-up-credentials
 [node-core-utils-issues]: https://github.com/nodejs/node-core-utils/issues
+[security reporting]: https://github.com/nodejs/node/blob/HEAD/SECURITY.md
 [unreliable tests]: https://github.com/nodejs/node/issues?q=is%3Aopen+is%3Aissue+label%3A%22CI+%2F+flaky+test%22
