-
-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
31da4fd
commit a2ed3e4
Showing
1 changed file
with
51 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,2 +1,51 @@ | ||
| # security-wg | ||
| Express.js Security Working Group | ||
| # Security Working Group | ||
|
|
||
| ## Charter | ||
|
|
||
| The Security Working Group manages all aspects and processes linked to Express.js security, and is responsible for managing incoming security reports, and responsible also to prepare patches or releases. The nature of this task is sensitive, so only the Security triage team, Repo Captains and TC members will be involved on it. | ||
|
|
||
| **Responsibilities include** | ||
| - Define the Security triage role | ||
| - Define and maintain security policies and procedures for the project and the packages in scope | ||
| - Elaborate guidelines and recommendations for the ecosystem on how to build more secure middleware | ||
| - Review and recommend processes for handling of security reports (but not the actual handling of security reports, which are reviewed directly by the TC). | ||
| - Promote improvement of security practices within the Express.js ecosystem (For example: [OSSF Scorecard](https://github.com/expressjs/discussions/issues/162), threat model, etc..) | ||
| - Recommend security improvements for the project and the packages in scope | ||
| - Support the TC team on security triage when is requested | ||
| - Support initiatives from the [OpenJS Foundation Security Collab Space](https://github.com/openjs-foundation/security-collab-space). | ||
|
|
||
|
|
||
| ## Current Initiatives | ||
|
|
||
| We are currently defining the Initiatives for 2024, [feel free to participate](https://github.com/expressjs/security-wg/issues/1). | ||
|
|
||
| | Initiative | Champion | Status | Links | | ||
| |------------|----------|--------|-------| | ||
| | OSSF Scorecard | _TBC_ | In progress | [#2](https://github.com/expressjs/security-wg/issues/2)| | ||
| | Threat Model | _TBC_ | In progress | [#3](https://github.com/expressjs/security-wg/issues/3) | | ||
| | Support OSTIF Audit | [@UlisesGascon](https://github.com/ulisesgascon) | In progress | [#6](https://github.com/expressjs/security-wg/issues/6) | ||
|
|
||
| ## Members | ||
|
|
||
| The Security Working Group is composed by two groups of members: the Security Triage Team and the Regular members. The regular members are responsible for the public facing activity of the group, while the Security Triage Team is responsible for the security triage process. | ||
|
|
||
| ### Security Triage Team | ||
|
|
||
| __TBC__ | ||
|
|
||
| ### Team Members | ||
|
|
||
| __TBC__ | ||
|
|
||
| ## Meetings | ||
|
|
||
| The Security Working Group meets every two weeks. Meetings are held on Zoom and are recorded or directly streamed to Youtube. The meeting is open to the public. The agenda and meeting notes are published in this repository. | ||
|
|
||
|
|
||
| ## Offline Discussions | ||
|
|
||
| The Security Working Group uses the [GitHub issues]() for offline discussions. The discussions are open to the public and anyone can participate. Also, the group uses the channel `#express-security-wg` in the [OpenJS Foundation Slack](https://openjsf.org/collaboration) for real-time discussions. | ||
|
|
||
| ## Code of Conduct | ||
|
|
||
| The [Express.js CoC](https://github.com/expressjs/express/blob/master/Code-Of-Conduct.md) applies to this repo. |