Comments (7)
FWIW, the Express projects has specifically opted out of the Node.js hackone project, due to a few issues in the past: (1) very long triage turn arounds and (2) public disclosures that was on our projects without even pulling us into the conversation. We have not had any issues triaging or responding to the security issues with our current process, so have not seen any need to opt into hackerone at this time.
from discussions.
P.S. @UlisesGascon that user never actually followed up on the issue, if you were curious. I did look into the issue since it was reported as as far as I can tell (barring the user actually making a report and providing a PoC) there is not issue as far as I can tell, which may have been why the user never followed up (it has happened before).
Here is the part the user wrote that I removed:
It's actually less secure because now not a standard hash -which can be made secure by the API programmer-. is determining that it is secure but rather a third party library, there is a bug in the security of cookie.signature it will mean this is also insecure.
from discussions.
Great input @dougwilson!
Sorry I didn't properly commented my ideas while I opened the issue. My idea was to suggest to include a reference to the bug bounty program and also fix the broken link to [Node Security Project](https://nodesecurity.io/report)
.
I was not aware that Express opted out for the bounty program but seems clear now with your feedback. The problem with a library like Express is that there are to many options that the end user (developer) can do in order to make the project more or less secure, but I agree that seems super hard to triage and be envolved in all the discussions where Express can be related, just as you show in the PoC provided by the original reporter.
Regarding the broken link, seems like nodesecurity.io
domain is now redirecting to npmjs.com
homepage. Full context here.
Should we use a different link @dougwilson then?
from discussions.
👋 This is Marcin from Node.js Ecosystem Security WG. I just wanted to clarify one thing really quickly:
As far as the opt-out goes, the hackone (https://hackerone.com/nodejs-ecosystem?type=team) just lists us as being ineligible for bounties as their method for marking that from what I understand.
Not quite. The Node.js Ecosystem program on HackerOne is open and everyone can submit a report against any package (we are working on fixing that).
We can't really stop people from reporting issues through HackerOne, but we can ask them to report them directly to Express according to their security policy if they do.
from discussions.
As far I know the documentation is outdated and the link is broken.
What about it is outdated? We have gotten reports recently, so I don't think anyone has had trouble making reports. The link is to report non-Express-related issues, and PR can be made to update the link, but it is unrelated to making these types of reports...
from discussions.
Unless there is something missing here, I'm going to assume this is a duplicate of #110 , and any issues with the specific Security.md file should ideally be filed on the repo that file is in (though a PR is even better!).
from discussions.
Yea, the nodesecurity project was folded into npmjs, and I guess they just get a whole-domain redirect to the npmjs.com homepage. It doesn't seem like npmjs.com provides a general security report form, instead the expectation is to search for the package, open the package's page, and click on "Report a vulnerability" there.
The idea of that was really to direct folks where to go for non-Express things. Maybe we just remove the link altogether and just say "report to the project" or something? Probably worth an issue/PR in the repo with the Security.md file under question for further discussion around it, but that is my initial thoughts on fixing the broken link.
As far as the opt-out goes, the hackone (https://hackerone.com/nodejs-ecosystem?type=team) just lists us as being ineligible for bounties as their method for marking that from what I understand.
from discussions.
Related Issues (20)
- Types? HOT 3
- How can I update the session with data from the database HOT 1
- Pilot LFX Insights On The Express Project HOT 18
- 2024-03-04 Express TC Meeting
- 2024-03-04 Express TC Meeting HOT 12
- 2024-03-04 Express TC Meeting
- How does the Express LTS strategy apply to modules not shipped directly with `express`? HOT 9
- EFI: Express documentation (expressjs.com website)
- Wayward Packages not under Express umbrella orgs HOT 5
- Workflow to auto close and lock PRs that match the `Update Readme.md` pattern HOT 2
- 2024-03-13 Express TC Meeting HOT 11
- 2024-03-18 Express TC Meeting HOT 7
- 2024-03-20 Express TC Meeting HOT 2
- 2024-03-20 Express TC Meeting HOT 1
- 2024-04-01 Express TC Meeting HOT 5
- Why are s: and hmac necessary in the express session cookie? HOT 2
- 2024-03-27 Express TC Meeting
- 2024-03-27 Express Working Session HOT 2
- 2024-03-27 Express TC Meeting
- 2024-04-10 Express Working Session HOT 12
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from discussions.