@@ -373,3 +373,100 @@ repository.
373373
374374In the event of a security incident, please refer to the
375375[ Security Incident Response Plan] ( https://github.com/nodejs/security-wg/blob/main/INCIDENT_RESPONSE_PLAN.md ) .
376+
377+ ## Node.js Security Team
378+
379+ Node.js security team members are expected to keep all information that they
380+ have privileged access to by being on the team completely private to the team.
381+ This includes agreeing to not notify anyone outside the team of issues that have
382+ not yet been disclosed publicly, including the existence of issues, expectations
383+ of upcoming releases, and patching of any issues other than in the process of
384+ their work as a member of the security team.
385+
386+ ### Node.js Security Team Membership Policy
387+
388+ The Node.js Security Team has access to security-sensitive issues and patches
389+ that aren't appropriate for public availability.
390+
391+ The policy for inclusion is as follows:
392+
393+ 1 . All members of @nodejs/TSC have access to private security reports and
394+ private patches.
395+ 2 . Members of the @nodejs/releasers team
396+ have access to private security patches in order to produce releases.
397+ 3 . On a case-by-case basis, individuals outside the Technical Steering
398+ Committee are invited by the TSC to have access to private security reports
399+ or private patches so that their expertise can be applied to an issue or
400+ patch. This access may be temporary or permanent, as decided by the TSC.
401+
402+ Membership on the security teams can be requested via an issue in the TSC repo.
403+
404+ ## Team responsible for Triaging security reports
405+
406+ The responsibility of Triage is to determine whether Node.js must take any
407+ action to mitigate the issue, and if so, to ensure that the action is taken.
408+
409+ Mitigation may take many forms, for example, a Node.js security release that
410+ includes a fix, documentation, an informational CVE or blog post.
411+
412+ * [ @mcollina ] ( https://github.com/mcollina ) - Matteo Collina
413+ * [ @RafaelGSS ] ( https://github.com/RafaelGSS ) - Rafael Gonzaga
414+ * [ @vdeturckheim ] ( https://github.com/vdeturckheim ) - Vladimir de Turckheim
415+ * [ @BethGriggs ] ( https://github.com/BethGriggs ) - Beth Griggs
416+
417+ ## Team with access to private security reports against Node.js
418+
419+ [ TSC voting members] ( https://github.com/nodejs/node#tsc-voting-members )
420+ have access.
421+
422+ In addition, these individuals have access:
423+
424+ * [ BethGriggs] ( https://github.com/BethGriggs ) - ** Beth Griggs**
425+ * [ MylesBorins] ( https://github.com/MylesBorins ) - ** Myles Borins**
426+ * [ bengl] ( https://github.com/bengl ) - ** Bryan English**
427+ * [ bnoordhuis] ( https://github.com/bnoordhuis ) ** Ben Noordhuis**
428+ * [ cjihrig] ( https://github.com/cjihrig ) ** Colin Ihrig**
429+ * [ joesepi] ( https://github.com/joesepi ) - ** Joe Sepi**
430+ * [ juanarbol] ( https://github.com/juanarbol ) ** Juan Jose Arboleda**
431+ * [ ulisesgascon] ( https://github.com/ulisesgascon ) ** Ulises Gascón**
432+ * [ vdeturckheim] ( https://github.com/vdeturckheim ) - ** Vladimir de Turckheim**
433+
434+ The list is from the [ member page] ( https://hackerone.com/organizations/nodejs/settings/users ) for
435+ the Node.js program on HackerOne.
436+
437+ ## Team with access to private security patches to Node.js
438+
439+ <!-- ncu-team-sync.team(nodejs-private/security) -->
440+
441+ * [ @aduh95 ] ( https://github.com/aduh95 ) - Antoine du Hamel
442+ * [ @anonrig ] ( https://github.com/anonrig ) - Yagiz Nizipli
443+ * [ @bengl ] ( https://github.com/bengl ) - Bryan English
444+ * [ @benjamingr ] ( https://github.com/benjamingr ) - Benjamin Gruenbaum
445+ * [ @bmeck ] ( https://github.com/bmeck ) - Bradley Farias
446+ * [ @bnoordhuis ] ( https://github.com/bnoordhuis ) - Ben Noordhuis
447+ * [ @BridgeAR ] ( https://github.com/BridgeAR ) - Ruben Bridgewater
448+ * [ @gireeshpunathil ] ( https://github.com/gireeshpunathil ) - Gireesh Punathil
449+ * [ @guybedford ] ( https://github.com/guybedford ) - Guy Bedford
450+ * [ @indutny ] ( https://github.com/indutny ) - Fedor Indutny
451+ * [ @jasnell ] ( https://github.com/jasnell ) - James M Snell
452+ * [ @joaocgreis ] ( https://github.com/joaocgreis ) - João Reis
453+ * [ @joesepi ] ( https://github.com/joesepi ) - Joe Sepi
454+ * [ @joyeecheung ] ( https://github.com/joyeecheung ) - Joyee Cheung
455+ * [ @juanarbol ] ( https://github.com/juanarbol ) - Juan José
456+ * [ @legendecas ] ( https://github.com/legendecas ) - Chengzhong Wu
457+ * [ @marco-ippolito ] ( https://github.com/marco-ippolito ) - Marco Ippolito
458+ * [ @mcollina ] ( https://github.com/mcollina ) - Matteo Collina
459+ * [ @MoLow ] ( https://github.com/MoLow ) - Moshe Atlow
460+ * [ @panva ] ( https://github.com/panva ) - Filip Skokan
461+ * [ @RafaelGSS ] ( https://github.com/RafaelGSS ) - Rafael Gonzaga
462+ * [ @richardlau ] ( https://github.com/richardlau ) - Richard Lau
463+ * [ @ronag ] ( https://github.com/ronag ) - Robert Nagy
464+ * [ @ruyadorno ] ( https://github.com/ruyadorno ) - Ruy Adorno
465+ * [ @santigimeno ] ( https://github.com/santigimeno ) - Santiago Gimeno
466+ * [ @ShogunPanda ] ( https://github.com/ShogunPanda ) - Paolo Insogna
467+ * [ @targos ] ( https://github.com/targos ) - Michaël Zasso
468+ * [ @tniessen ] ( https://github.com/tniessen ) - Tobias Nießen
469+ * [ @UlisesGascon ] ( https://github.com/UlisesGascon ) - Ulises Gascón
470+ * [ @vdeturckheim ] ( https://github.com/vdeturckheim ) - Vladimir de Turckheim
471+
472+ <!-- ncu-team-sync end -->
0 commit comments