Skip to content

docs(security): add secondary contact/security escalation policy#6315

Merged
Uzlopak merged 5 commits intofastify:mainfrom
UlisesGascon:patch-1
Sep 18, 2025
Merged

docs(security): add secondary contact/security escalation policy#6315
Uzlopak merged 5 commits intofastify:mainfrom
UlisesGascon:patch-1

Conversation

@UlisesGascon
Copy link
Contributor

@UlisesGascon UlisesGascon commented Sep 15, 2025

@UlisesGascon
docs: add security escalation policy
7fe9596 
Signed-off-by: Ulises Gascón <ulisesgascongonzalez@gmail.com>
Uzlopak
Uzlopak requested changes Sep 15, 2025
View reviewed changes
Copy link
Contributor

@Uzlopak Uzlopak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or else?

@UlisesGascon
Copy link
Contributor Author

UlisesGascon commented Sep 15, 2025

Or else?

I’ll add clarification. Escalation means contacting the OpenJS Foundation CNA if the project team is unresponsive. The CNA ensures the report is acknowledged, helps coordinate disclosure, and can assign a CVE if necessary. It’s not a bypass or a guarantee of a faster fix. It is just a safeguard to ensure reports are handled properly.

This change is also being adopted by other projects in the foundation (e.g. nodejs/node#59806, jquery/jquery#5701....), so we’ll have a consistent approach across OpenJS as discussed on the CPC Meeting.

@Uzlopak
Copy link
Contributor

Uzlopak commented Sep 15, 2025

@UlisesGascon You answered in the meantime, but below was what i wanted to answer you before your post.

First of all, an escalation should be imho not the first thing I should read. It should be at the bottom of the document, after we described how we handle security reports.

We have self mandated 4 day reaction time.

Also i think it is critical to not clarify what the scope of the escalation is. What is here the role of the OpenJS Foundation?
What is ultima ratio of the escalation? Keeping potential project funds? Project Takeover by the Foundation? Creating a PR which fastify-maintainers are obligated to merge?

Or is the wording "Escalation" the issue? Is it more about that the OpenJS Foundation CNA will then separately will publish a CVE? Then the wording as "escalation" is inappropriate.

Without any clarification I think we should reject this policy change.

Uzlopak
Uzlopak reviewed Sep 15, 2025
View reviewed changes
@Uzlopak
Copy link
Contributor

Uzlopak commented Sep 15, 2025

I see, that also in the nodejs pr the "escalation" was needing clarification. I think we should encourage that the OpenJS Foundation changes the template for the sake of clarity.

UlisesGascon and others added 2 commits September 15, 2025 17:09
@UlisesGascon @Uzlopak
Update SECURITY.md
0aee528 
Co-authored-by: Aras Abbasi <aras.abbasi@googlemail.com>
Signed-off-by: Ulises Gascón <ulisesgascongonzalez@gmail.com>
@UlisesGascon
chore: relocate text
ac96ec2
@UlisesGascon
Copy link
Contributor Author

UlisesGascon commented Sep 15, 2025

Thanks for the feedback @Uzlopak! I will bring this discussion to the Security Collab Space to re-define the policy/template. In the meantime I relocated the text in ac96ec2 with your suggestions included.

Uzlopak
Uzlopak approved these changes Sep 15, 2025
View reviewed changes
Copy link
Contributor

@Uzlopak Uzlopak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your work

Fdawgs
Fdawgs reviewed Sep 15, 2025
View reviewed changes
@Fdawgs Fdawgs changed the title docs: add security escalation policy docs(security): add security escalation policy Sep 15, 2025
@UlisesGascon @Fdawgs
Update SECURITY.md
73b53b5 
Co-authored-by: Frazer Smith <frazer.dev@icloud.com>
Signed-off-by: Ulises Gascón <ulisesgascongonzalez@gmail.com>
Uzlopak
Uzlopak approved these changes Sep 15, 2025
View reviewed changes
Copy link
Contributor

@Uzlopak Uzlopak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

metcoder95
metcoder95 approved these changes Sep 16, 2025
View reviewed changes
Copy link
Member

@metcoder95 metcoder95 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, just linting seems failing

@Uzlopak
Copy link
Contributor

Uzlopak commented Sep 16, 2025

@fastify/leads

Do you agree with this PR?

mcollina
mcollina approved these changes Sep 16, 2025
View reviewed changes
Copy link
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

gurgunday
gurgunday approved these changes Sep 17, 2025
View reviewed changes
Copy link
Member

@gurgunday gurgunday left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@Uzlopak Uzlopak merged commit a4fe041 into fastify:main Sep 18, 2025
5 checks passed
@Uzlopak Uzlopak changed the title docs(security): add security escalation policy docs(security): add secondary contact/security escalation policy Sep 18, 2025
@chrisbbreuer chrisbbreuer mentioned this pull request Sep 22, 2025
Closed
1 task
@Uzlopak Uzlopak mentioned this pull request Sep 27, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mcollina mcollina mcollina approved these changes

@jsumners jsumners jsumners approved these changes

@Uzlopak Uzlopak Uzlopak approved these changes

@metcoder95 metcoder95 metcoder95 approved these changes

@Fdawgs Fdawgs Fdawgs approved these changes

@gurgunday gurgunday gurgunday approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@UlisesGascon @Uzlopak @mcollina @jsumners @metcoder95 @Fdawgs @gurgunday