From 8017db8de0ed3360b8a1932de4a934e2e701dfad Mon Sep 17 00:00:00 2001 From: Daniel Bevenius Date: Mon, 23 Aug 2021 08:23:44 +0200 Subject: [PATCH] doc: add duplicate CVE check in sec. release doc This commit adds a note about only creating a CVE for Node.js vulnerabilities. The motivation for this is a recent HackerOne report where I created a CVE for a c-ares issue. This CVE should have been created by the c-ares project, and it was later, but we never updated our HackerOne report to use their CVE number. Hopefully this extra note in the release doc will help us check for this situaion and avoid this in the future. Refs: https://hackerone.com/reports/1178337 --- doc/guides/security-release-process.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/doc/guides/security-release-process.md b/doc/guides/security-release-process.md index 42e34b4dd82548..07354634b932c0 100644 --- a/doc/guides/security-release-process.md +++ b/doc/guides/security-release-process.md @@ -40,6 +40,9 @@ information described. * Approved * Pass `make test` * Have CVEs + * Make sure that dependent libraries have CVEs for their issues. We should + only create CVEs for vulnerabilities in Node.js itself. This is to avoid + having duplicate CVEs for the same vulnerability. * Described in the pre/post announcements * [ ] Pre-release announcement [email][]: ***LINK TO EMAIL***