Handle HackerOne org to core triage team

[vdeturckheim]

TODO:

• invite triage team mebers to HackerOne org (check you inboxes)
• update report template
• set up email redirection to HackerOne
• update nodejs.org website
• set up scopes in HackeOne

I have invited the following people to the HackerOne org (except for those who already had an invite pending):

• @bnoordhuis
• @indutny
• @rvagg
• @jasnell
• @shigeki
• @MylesBorins

Can you let me know who should be admin of this org? Also, I would recommend you all set up 2FA on HackerOne.

Other members:

• @reedlodenis currently member of this H1 team, he helps us set up the ecosystem triage team and have everything running smoothly. You might need his help for the core triage team too!
• @cjihrig is currently a member of the H1 team. He is not a member of the core triage team (see https://github.com/nodejs/security-wg/blob/master/processes/security_team_members.md). @cjihrig do you want to request membership to this team? I let you see with other members here.
• @vdeturckheim : I am still a member of the H1 team despite not being part of the core triage team. I'd like to stay involved and could help for housekeeping related topics and cross team communication (with the ecosystem team). I will open an issue on the TSC repository for this,

(closes #67)

[cjihrig]

@cjihrig is currently a member of the H1 team. He is not a member of the core triage team (see https://github.com/nodejs/security-wg/blob/master/processes/security_team_members.md). @cjihrig do you want to request membership to this team? I let you see with other members here.

If anyone thinks I can help by joining the team then I'd be happy to. If not, no big deal either.

[rvagg]

Got a link to where I should be able to log in, or whatever it is I'm supposed to do with this? I don't see anything in my email recently for this ... Unless I've already done it but forgotten. A link would help either way.

[vdeturckheim]

@rvagg I just re-invited your public github email address. Did you get anything?

[rvagg]

Yep, got the cancellation and the new invite, not sure where the original invite is!

Some questions / comments:

1. What does this mean? Is it part of our process to get "verified" and why does that even matter?

2. Why on earth do they think preventing me from turning on 2fa be a good idea? Can we get that option switched somewhere? Also, "sandbox"? This doesn't sound like we're using a solid tool here.

3. I've been assigned a demo issue and it tells me in the happy little comment that comes along with it that I can change the status ... but I can't. Not very promising.

[rvagg]

Reflection: this is going to need a better sales job to convince the team currently triaging that it's worth the hassle compared to the easy process of dealing with email. Most of the emails we get are either spam or things we punt to nodejs/help. The occasional real issue we just paste into node-private/security and deal with it there. If the suggestion is to replace that process with this new tool then it's going to need to be much smoother than this and provide actual value that we don't currently have. So far it seems like a tool for the sake of a tool (Silicon Valley Syndrome).

[MylesBorins]

@rvagg I think one of the biggest pieces of value over email is accountability. It makes keeping records way better than email, and also makes the process of closing the loop easier to do. Also way less prone to error (not replying all)

[vdeturckheim]

Hey @rvagg . As @MylesBorins said, it might be a gain in the workflow of handling vulnerabilities in the core. Here is an example of vuln we disclosed yesterday for the ecosystem https://hackerone.com/reports/307666

The HackerOne team is very helpful should you need help to get familiar with the tool (escpecially @reedloden ), but you can also find demos in recording of recent WG meetings (I don't recall which dates exactly however, maybe looking at the minutes will help). This might show you better the value of the tool.

After 2 months of using this tool for the management of the ecosystem vulnerabilities, I have to say it pretty much fits our needs on that side. That said, I have no visibility on the current state of the core vulnerability management therefore I can't really tell you how this would improve current processes.

Regarding sandbox/team verification: until the team is ready to review reports through HackerOne, there is probably no need to have it validated. People would start to report issues to a team that would not even read them.

[lirantal]

I'm also without prior experience with the HackerOne platform, but I find it very comfortable to manage the whole workflow. For example, inviting maintainers, messages for internal communication vs public, triaging severity, etc. All of that is really easy through the platform.

There are some quirks with the UI, but we updated the triage documentation to make it clearer and their support is helpful as well.

[vdeturckheim]

On hold for now. I'll work on that again shortly.

[cjihrig]

@vdeturckheim I think the security-wg-agenda label can be removed (at least for now). Can you confirm?

[vdeturckheim]

@cjihrig yes!

[reedloden]

As per @vdeturckheim's request, I have launched https://hackerone.com/nodejs publicly (with bounties provided by the IBB).

[sam-github]

I believe this to be complete, please reopen if I misunderstand.