Meet the Node.js Security Working Group
In this post I would like to acquaint you with the work being done by the Node.js Security Working Group and how we’re improving the state of security for the Node.js ecosystem
Intro
The working group has been installed as part of the Node.js Foundation in the late 2016 but resumed higher activity in the late 2017 with more members joining it and helping drive agenda items.
The WG is composed of members of the Node.js Foundation who mostly have affiliation with security initiatives, or other relevant background.
We meet regularly, on a monthly basis to discuss items on the agenda.
The session is live broadcasted and so we welcome anyone to join for updates or bring up matters to discuss.
Scope & Responsibilities
The WG set of responsibilities and scope is large and documented well in our repository, but it can be classified into the following two high-level scopes:
- Improving the state of the Node.js Security Ecosystem —
- Through the creation of many initiatives, policies, and processes that we’ll review later in the article.
- Governing Responsible Disclosure Programs for Node.js and the npm ecosystem — building a dedicated team, setting up relevant polices, and processes to enable security researchers to report vulnerabilities found in third party Node.js modules (npm).
The first is being handled largely in an open matter through the issue queue, or agenda meetings, while the second is managed behind a vale of discretion to protect users from a publicly made vulnerability report which can expose them to malicious attackers.
Let’s further expand on selected initiatives from the above.
A Responsible Disclosure Program for the Node.js Ecosystem
Providing a platform for bug hunters and security researchers to safely report vulnerabilities in third party modules for Node.js.
We have established official channels of communication, namely through the HackerOne platform, and policies in place for how to handle vulnerabilities.
This extends to module authors as well, which are now able to discretely engage in such vulnerability reports and work out a fix and release it without the vulnerability being public before a patch is introduced and provided to users. This is very much the essence of a responsible disclosure program.
A Responsible Disclosure Program for core Node.js
Very much like the Node.js ecosystem program, now the core Node.js project can benefit from security researchers involved in seeking security issues for the core runtime.
The Internet Bug Bounty (IBB) organization sponsors this activity and supports it as it does for other Internet infrastructure and key open source software projects.
The SECURITY.md Badge
I’m pretty sure you are familiar with a CONTRIBUTIONS or CODE_OF_CONDUCT policy guideline in your repository. Why not have a similar policy for security related issues?
If someone found a security problem with your node module, how should they report it? who should they contact? what if they can’t reach the maintainer? what if they want to stay anonymous?
As a module maintainer you can easily provide these details to your users by embracing a SECURITY.md file that you can copy from the template we made.
Furthermore, adding the security badge on your repository will send a positive message to your users that you are seriously committed to security concerns.
Stay tuned for follow-up posts into the activities of the Working Group!
Feedback!
Wether you’re a module author, a security researcher or an end-user, your feedback is important and we want to hear from you how we can improve, and what are painful areas that we can further engage on.
We also invite you to join us on an open slack channel: https://nodejs-security-wg.herokuapp.com/