Reporting security concerns

[Ritchie]

Hi, Folks.

Who would be the best person with whom to discuss a security concern with Node privately?

Thanks

Ritchie

[Brandon Moser]

Ritchie,

Check out https://nodesecurity.io/. They work with the Node team directly and have a link to submit a vulnerability.

Brandon

--

Brandon Moser

http://about.me/brandonmoser

[Floby]

This is a rather odd request. I'm not qualified with security matters in node, but I'm also of the opinion that security isn't secrecy. If there is a security concern with node itself, then it's probably best for the whole community to know.

If there is a potential security concern in your own context (using node, i presume) then it seems to me that you're looking for node.js consulting. Therefore, it should be a job offer. Am I getting this wrong ?

Florent

[Ritchie Young]

Hi, Florent.

Thanks for the response and yes, you're getting it wrong :)

Of course, it would be best for the whole community to know but I'm wondering if it's possible to give those people who have obviously been affected a heads-up first - probably not.

I've promised one other party that I'll wait a week before describing the issue publicly but I'd be happy to describe it to one of the core team members in the mean-time.

Apologies for the cloak-and-dagger act but I haven't been in this situation before and I'm just trying to handle it responsibly.

Cheers

Ritchie

--
--
Job Board: http://jobs.nodejs.org/
Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to nod...@googlegroups.com
To unsubscribe from this group, send email to
nodejs+un...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en

---
You received this message because you are subscribed to a topic in the Google Groups "nodejs" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/nodejs/p7DIoHIBG28/unsubscribe.
To unsubscribe from this group and all its topics, send an email to nodejs+un...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Dan Shaw]

You're looking for TJ Fontaine <tjfon...@gmail.com>.

Direct your security concern to secu...@nodejs.org.

Daniel Shaw
@dshaw

[Ryan Schmidt]

On Apr 24, 2014, at 03:15, Floby wrote:

> This is a rather odd request. I'm not qualified with security matters in node, but I'm also of the opinion that security isn't secrecy. If there is a security concern with node itself, then it's probably best for the whole community to know.

http://en.wikipedia.org/wiki/Responsible_disclosure

[Ritchie Young]

Fantastic.

Thanks, Dan.

[Peter Rust]

> I'm also of the opinion that security isn't secrecy. If there is a security concern with node itself,

> then it's probably best for the whole community to know

To quote isaacs re: a similar security concern:

> A few weeks ago, Matthew Daley found a security vulnerability in Node's HTTP implementation,

> and thankfully did the responsible thing and reported it to us via email.

> The innocuous commit message does not give away the security implications,

> precisely because we wanted to get a fix out before making a big deal about it.

> I'm extremely grateful that Matthew took the time to report the problem 

> ... in such a way that we had a reasonable amount of time to fix the issue before making it public.

-- peter