From 3a4914352a0e20f320121bc3ee0d9967234b1e39 Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Sat, 13 Jun 2026 20:06:56 +0200 Subject: [PATCH] doc: document OpenJS CNA publication step in security release When `cve_source` is set to `openjs-cna` in `.ncurc`, NCU reserves CVE ids via the OpenJS Foundation CNA and publication to MITRE becomes a separate post-release step (`git node security --publish-cve`). Update the security release runbook accordingly: * Note the OpenJS CNA option under 'Requesting CVEs' with a forward reference to the Post-Release section. * Add a new Post-Release step for `--publish-cve`, scoped to the OpenJS CNA path. Includes a safety note: MITRE rejects cross-owner publication attempts loudly, but an accidental publication of one of the caller's own reserved CVEs goes through and becomes permanent. * Annotate the existing 'Request publication of H1 CVE requests' bullet in cleanup as a no-op under the OpenJS CNA path. Signed-off-by: Ulises Gascon --- doc/contributing/security-release-process.md | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/doc/contributing/security-release-process.md b/doc/contributing/security-release-process.md index ba7dbae378f730..2181c4df6e84c3 100644 --- a/doc/contributing/security-release-process.md +++ b/doc/contributing/security-release-process.md @@ -74,6 +74,10 @@ The current security stewards are documented in the main Node.js * Make sure to have a green CI before requesting a CVE. * Check if there is a need to issue a CVE for any version that became EOL after the last security release through [this issue](https://github.com/nodejs/security-wg/issues/1419). + * If `cve_source: openjs-cna` is set in `.ncurc`, CVEs are reserved through + the OpenJS Foundation CNA instead of HackerOne. The HackerOne report is + updated with the CVE id either way. Publication to MITRE then becomes a + separate [Post-Release](#post-release) step. * [ ] 5\. **Choosing or Updating Release Date:** * Get agreement on the planned date for the release. @@ -165,14 +169,25 @@ security announcements for more information. ## Post-Release -* [ ] 1\. **Cleanup:** +* [ ] 1\. **Publish CVEs to MITRE (OpenJS CNA path only):** + * Skip this step if `cve_source` is `hackerone` (the default) — HackerOne + publishes to MITRE automatically during disclosure. + * Run `git node security --publish-cve`. Posts each reserved CVE's v5.2 + CNA Container to MITRE. Run this **before** `--cleanup`. + * **Safety:** MITRE rejects publication for CVEs assigned to a different + CNA, so cross-owner mistakes fail loud. But an accidental publication of + one of *your own* reserved CVEs goes through and becomes public with no + API to un-publish. Double-check the payload before confirming each one. + +* [ ] 2\. **Cleanup:** * [ ] `git node security --cleanup`. This command will: * Update next-security-release folder * Close all PRs and backports labeled with `Security Release`. * Close HackerOne reports: * Close Resolved * Request Disclosure - * Request publication of H1 CVE requests + * Request publication of H1 CVE requests _(skip when using OpenJS CNA — + already published)_. * In case the reporter doesn't accept the disclosure follow this process: Remove the original report reference within the reference text box and insert the public URL you would like to be attached to this CVE.