EFI: Security

[sheplu]

Motivation

Security is essential for all projects. Keeping up to date and safe all projects part of an organization, especially with most of the libraries used by millions, the challenge is even more daunting. By having a dedicated group focussing on security, this can help lower the risk and mitigate any issue in a quicker way

Expectation

Form a dedicated security group, able to work autonomously while leveraging tooling and solution to speed up detection and correction

Implementation

Create Security WG
Define ways of working and processes
Explain how we work around CVE / Reports
Leverage GitHub Security reports and not "email to someone"

Status

Part: Organization
Status:

• Create WG: in progress
• Define processes:
• CVE / Reports:
• Github Security:

Note: all points could be delegated and part of the Security WG for tracking

Draft

Security is paramount. And the risk is even greater for a project used by almost everyone relying on Node.js to build an application. It is crucial that all the processes linked to security are strengthened to allow a quick discovery, a swift processing and a good mitigation.
Some changes can be
Rewrite security report procedure
Implement security report on GitHub
Define a priority processing of security reports by the TC
Or create a specialized security group