doc: add request to hold off publicising sec releases

mhdawson · targos · commit f9739a85cbf2 · 2023-03-14T07:54:02.000+01:00
- We've often seen tweets go out early before announcement and other parts of the security release complete - Make an explicit ask that collaborators avoid doing this by gating on the tweet from the Node.js account - Releasers would still be free to tweet earlier as they know when the process is complete. Signed-off-by: Michael Dawson <mdawson@devrus.com> PR-URL: #46702 Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Robert Nagy <ronagy@icloud.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Akhil Marsonya <akhil.marsonya27@gmail.com> Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Chengzhong Wu <legendecas@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> Reviewed-By: Darshan Sen <raisinten@gmail.com>
diff --git a/doc/contributing/security-release-process.md b/doc/contributing/security-release-process.md
@@ -118,6 +118,7 @@ out a better way, forward the email you receive to
 `oss-security@lists.openwall.com` as a CC.
 
 * [ ] Create a new issue in [nodejs/tweet][]
+
   ```text
   Security release pre-alert:
 
@@ -130,6 +131,13 @@ out a better way, forward the email you receive to
   https://nodejs.org/en/blog/vulnerability/month-year-security-releases/
   ```
 
+  We specifically ask that collaborators other than the releasers and security
+  steward working on the security release do not tweet or publicise the release
+  until the tweet from the Node.js twitter handle goes out. We have often
+  seen tweets sent out before the release and associated announcements are
+  complete which may confuse those waiting for the release and also takes
+  away from the work the releasers have put into shipping the releases.
+
 * [ ] Request releaser(s) to start integrating the PRs to be released.
 
 * [ ] Notify [docker-node][] of upcoming security release date: _**LINK**_
