EFI: Security

[sheplu]

Motivation

Security is essential for all projects. Keeping up to date and safe all projects part of an organization, especially with most of the libraries used by millions, the challenge is even more daunting. By having a dedicated group focussing on security, this can help lower the risk and mitigate any issue in a quicker way

Expectation

Form a dedicated security group, able to work autonomously while leveraging tooling and solution to speed up detection and correction

Implementation

Create Security WG Define ways of working and processes Explain how we work around CVE / Reports Leverage GitHub Security reports and not "email to someone"

Status

Part: Organization Status:

• Create WG: in progress
• Define processes:
• CVE / Reports:
• Github Security:

Note: all points could be delegated and part of the Security WG for tracking

Draft

Security is paramount. And the risk is even greater for a project used by almost everyone relying on Node.js to build an application. It is crucial that all the processes linked to security are strengthened to allow a quick discovery, a swift processing and a good mitigation. Some changes can be Rewrite security report procedure Implement security report on GitHub Define a priority processing of security reports by the TC Or create a specialized security group