Express Security Bugs reports about discussions HOT 7 CLOSED

FWIW, the Express projects has specifically opted out of the Node.js hackone project, due to a few issues in the past: (1) very long triage turn arounds and (2) public disclosures that was on our projects without even pulling us into the conversation. We have not had any issues triaging or responding to the security issues with our current process, so have not seen any need to opt into hackerone at this time.

from discussions.

P.S. @UlisesGascon that user never actually followed up on the issue, if you were curious. I did look into the issue since it was reported as as far as I can tell (barring the user actually making a report and providing a PoC) there is not issue as far as I can tell, which may have been why the user never followed up (it has happened before).

Here is the part the user wrote that I removed:

It's actually less secure because now not a standard hash -which can be made secure by the API programmer-. is determining that it is secure but rather a third party library, there is a bug in the security of cookie.signature it will mean this is also insecure.

from discussions.

Great input @dougwilson!

Sorry I didn't properly commented my ideas while I opened the issue. My idea was to suggest to include a reference to the bug bounty program and also fix the broken link to [Node Security Project](https://nodesecurity.io/report).

I was not aware that Express opted out for the bounty program but seems clear now with your feedback. The problem with a library like Express is that there are to many options that the end user (developer) can do in order to make the project more or less secure, but I agree that seems super hard to triage and be envolved in all the discussions where Express can be related, just as you show in the PoC provided by the original reporter.

Regarding the broken link, seems like nodesecurity.io domain is now redirecting to npmjs.com homepage. Full context here.

Should we use a different link @dougwilson then?

from discussions.

👋 This is Marcin from Node.js Ecosystem Security WG. I just wanted to clarify one thing really quickly:

As far as the opt-out goes, the hackone (https://hackerone.com/nodejs-ecosystem?type=team) just lists us as being ineligible for bounties as their method for marking that from what I understand.

Not quite. The Node.js Ecosystem program on HackerOne is open and everyone can submit a report against any package (we are working on fixing that).

We can't really stop people from reporting issues through HackerOne, but we can ask them to report them directly to Express according to their security policy if they do.

from discussions.

As far I know the documentation is outdated and the link is broken.

What about it is outdated? We have gotten reports recently, so I don't think anyone has had trouble making reports. The link is to report non-Express-related issues, and PR can be made to update the link, but it is unrelated to making these types of reports...

from discussions.

Unless there is something missing here, I'm going to assume this is a duplicate of #110 , and any issues with the specific Security.md file should ideally be filed on the repo that file is in (though a PR is even better!).

from discussions.

Yea, the nodesecurity project was folded into npmjs, and I guess they just get a whole-domain redirect to the npmjs.com homepage. It doesn't seem like npmjs.com provides a general security report form, instead the expectation is to search for the package, open the package's page, and click on "Report a vulnerability" there.

The idea of that was really to direct folks where to go for non-Express things. Maybe we just remove the link altogether and just say "report to the project" or something? Probably worth an issue/PR in the repo with the Security.md file under question for further discussion around it, but that is my initial thoughts on fixing the broken link.

As far as the opt-out goes, the hackone (https://hackerone.com/nodejs-ecosystem?type=team) just lists us as being ineligible for bounties as their method for marking that from what I understand.

from discussions.