-
-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs: add working group details #5
Merged
Merged
Changes from all commits
Commits
Show all changes
10 commits
Select commit
Hold shift + click to select a range
b4d92b7
docs: add working group details
UlisesGascon 4056b84
docs: improve readability
UlisesGascon 7245543
docs: add support for OSSF Best practices initiative
UlisesGascon dffab00
docs: improve readability
UlisesGascon cbb9880
docs: improve readability
UlisesGascon 3b82f3a
docs: improve readability
UlisesGascon e662788
docs: improve readability
UlisesGascon d1c993b
docs: add calendar reference
UlisesGascon 317ff29
docs: update references to Express.js project
UlisesGascon 8312523
docs: add reference to projects spreadsheet
UlisesGascon File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,2 +1,64 @@ | ||
| # security-wg | ||
| Express.js Security Working Group | ||
| # Security Working Group | ||
|
|
||
| ## Charter | ||
|
|
||
| The Security Working Group manages all aspects and processes linked to the Express Project's security, and is responsible for managing incoming security reports, and responsible also to prepare patches or releases. The nature of this task is sensitive, so only the Security triage team, Repo Captains and TC members will be involved in it. | ||
|
|
||
| ### Responsibilities | ||
|
|
||
| - Define the Security triage role | ||
| - Define and maintain security policies and procedures for the project and the packages in scope (see [this spreadsheet for scope details](https://docs.google.com/spreadsheets/d/1Qi7B78K6R_RyFloAcrcizL2oYawwMEmdKjgzC_Lik9Q/edit#gid=475621832)) | ||
| - Provide guidance to the ecosystem on how to build more secure middleware | ||
| - Review and recommend processes for handling of security reports. | ||
| - Promote improvement of security practices within the Express project's ecosystem (For example: [OSSF Scorecard](https://github.com/expressjs/discussions/issues/162), threat model, etc..) | ||
| - Recommend security improvements for the project and the packages in scope | ||
| - Support the TC team on security triage as needed | ||
| - Support initiatives from the [OpenJS Foundation Security Collab Space](https://github.com/openjs-foundation/security-collab-space). | ||
| - Support initiatives from the OpenSSF [Best Practices for Open Source Developers Working Group](https://github.com/ossf/wg-best-practices-os-developers). | ||
|
|
||
| ## Current Initiatives | ||
|
|
||
| We are currently defining the Initiatives for 2024, [feel free to participate](https://github.com/expressjs/security-wg/issues/1). | ||
|
|
||
| | Initiative | Champion | Status | Links | | ||
| |------------|----------|--------|-------| | ||
| | OSSF Scorecard | [@inigomarquinez](https://github.com/inigomarquinez) | In progress | [#2](https://github.com/expressjs/security-wg/issues/2)| | ||
UlisesGascon marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| | Threat Model | _TBC_ | In progress | [#3](https://github.com/expressjs/security-wg/issues/3) | | ||
| | Support OSTIF Audit | [@UlisesGascon](https://github.com/ulisesgascon) | In progress | [#6](https://github.com/expressjs/security-wg/issues/6) | ||
|
|
||
| ## Members | ||
|
|
||
| The Security Working Group is composed of two groups of members: the Security Triage Team and the Regular members. The regular members are responsible for the public facing activity of the group, while the Security Triage Team is responsible for the security triage process. | ||
|
|
||
| ### Security Triage Team | ||
|
|
||
| - [Adam Ruddermann](https://github.com/ruddermann) | ||
| - [Chris de Almeida](https://github.com/ctcpip) | ||
| - [Jean Burellier](https://github.com/sheplu) | ||
| - [Marco Ippolito](https://github.com/marco-ippolito) | ||
| - [Rafael Gonzaga](https://github.com/RafaelGSS) | ||
| - [Ulises Gascón](https://github.com/UlisesGascon) | ||
| - [Wes Todd](https://github.com/wesleytodd) | ||
|
|
||
| ### Team Members | ||
| - [Adam Ruddermann](https://github.com/ruddermann) | ||
| - [Carlos Serrano](https://github.com/carpasse) | ||
| - [Chris de Almeida](https://github.com/ctcpip) | ||
| - [Íñigo Marquínez Prado](https://github.com/inigomarquinez) | ||
| - [Jean Burellier](https://github.com/sheplu) | ||
| - [Marco Ippolito](https://github.com/marco-ippolito) | ||
| - [Rafael Gonzaga](https://github.com/RafaelGSS) | ||
| - [Ulises Gascón](https://github.com/UlisesGascon) | ||
| - [Wes Todd](https://github.com/wesleytodd) | ||
|
|
||
| ## Meetings | ||
|
|
||
| The Security Working Group meets every two weeks. Meetings are held on Zoom and are recorded or directly streamed to Youtube. The meeting is open to the public. The agenda and meeting notes are published in this repository. The calendar entries are available in the [OpenJS Foundation calendar](https://openjsf.org/collaboration). | ||
|
|
||
| ## Offline Discussions | ||
|
|
||
| The Security Working Group uses the [GitHub issues](https://github.com/expressjs/security-wg/issues) for offline discussions. The discussions are open to the public and anyone can participate. Also, the group uses the channel `#express-security-wg` in the [OpenJS Foundation Slack](https://openjsf.org/collaboration) for real-time discussions. | ||
|
|
||
| ## Code of Conduct | ||
|
|
||
| The [Express Project's CoC](https://github.com/expressjs/express/blob/master/Code-Of-Conduct.md) applies to this repo. | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will fix the pretty format of this table for md in a follow-on PR :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes 🙏