►
Description
Liran Tal, Senior Development Advocate at Snyk and member of the Node.js Security Working Group gives an update on what the Security WG has been up to from Node+JS Interactive.
A
Hi
everyone,
my
name,
is
Darren
Tyler,
my
developer.
Okay,
that's
Nick,
I'm,
also
heavily
involved
with
a
security
working
group
for
the
node
foundation,
so
trying
to
do
some
processes
and
trying
to
help
security
and
p.m.
ecosystem
and
nodejs
as
well.
So
this
conference
has
been
really
great
in
terms
of
you
know,
just
meeting
people
getting
together
getting
stuff
done
as
well.
The
collaborators
tell
me
that
you're
looking
forward
to
in
the
next
couple
of
days
and
a
couple
of
things
so
maybe
like
three
things
that
I
wanted
to
like
update
you
on.
A
What's
been
going
on,
we
didn't
know
what
security
working
group
so
first
off
one
thing
that
we
have
been
as
kind
of
like
communicating
a
lot
is
we
actually
received
funding
for
the
node
working
group
in
terms
of
our
ability
to
like
work
with
hacker
one
and
then
reward
security
researchers
on
any
bad
volunteers.
You
know
that
they've
been
submitting.
A
This
is
something
that
has
been
rolling
out
actually
pretty
recently,
we've
been
able
to
like
get
a
criteria
for
which
models
would
be
eligible
to
get
the
bounties
for,
and
this
way
trying
to
like
get
more
awareness
and
more
security
researchers
happening
getting
involved
within
the
security
space
for
node
and
NPM
itself.
It
is
really
good
something
that's
really
recently
going
on
and
really
good
for
us,
as
the
Necker
system.
A
Interesting
point
of
that
we're
trying
to
see
if
we
can
maybe
divert
some
of
those
funds
to
maintenance
as
well
that
will
participate.
It's
like
we
kind
of
trying
to
like
pay
both
parties
in
terms
of
driving
some
motivation
around
not
just
reporting
issues,
but
also
supporting
it's
like
the
maintainer,
is
to
spend
time
fixing
it.
So
it's
a
really
important
project,
we're
going
to
see
with
hacker
one,
how
we
gonna
be
able
to
our
roll
this
out
as
well.
Another
update
on
the
working
group
itself
is,
since
this
whole,
open
Jas
foundation.
A
Thing
have
been
going
on
really
strong
together
a
great
you
know,
message
I
think
for
the
whole
JavaScript
ecosystem,
we're
trying
to
see
how
we
were
able
to
get
some
responsible
disclosure
guidelines
set
up
not
just
for
the
node
foundation,
but
also
for
the
entire,
like
cross
project
Council
in
terms
of
like
the
whole
open,
jazz
foundation
and
whole
20
projects
that
we
have
in.
So
how
do
we
like
I,
make
those
standards
work
for
everyone
as
well
and
not
just
be
a
particular
part
of
the
node
as
part
of
it?
A
So
this
is
something
that
Morrison
from
the
working
group
has
been
going
to
like
send
off
a
draft
and
you'll
make
this
work.
If
you
want
to
get
involved,
have
any
opinions
we'll
help
out
just
jump
onto
github.com,
/
node.js,
slash
security,
WG
and
I
just
find
us
on
DHT
key,
we'll
be
happy
to
get
some
external
eyes
and
this
as
well
and
generally.
If
you
want
to
just
get
involved
and
see,
what's
going
on,
everything
is
very
transparent.
Just
hop
on
the
repository
with
me
is,
you
know,
pretty
I,
think
clear
and
helpful.
A
So
you
know
just
just
think
after
maybe
the
last
update
would
be
around
kind
of
like
a
challenging
thing
that
we
have
been
kind
of
been
raised
recently.
Is
we
have
some
issues
in
terms
of
how
do
we
handle
large-scale
disclosures?
So
what
we've
been
seeing
not
a
whole
lot,
but
it
has
been
happening.
A
couple
of
times,
at
least,
is
security.
Researchers,
mostly
from
academia,
have
been
doing
a
lot
of
security
research
around
like
real
ordinary,
like
local
expression,
denial
of
service
and
other
kind
of
like
Pat
reversals
kind
of
double
inner
bility.
A
It's
like
different
kind
of
classes,
but
I've
been
able
to
like
find
those
and
disclose
those
issues
across
like
hundreds
of
projects
or
like
NPM
modules.
So
how
do
we,
as
security
working
group,
are
able
to
handle
those
disclosures
at
larger
scale
because
each
of
those
kind
of
map
into
one
or
two,
you
know
reports
that
we
have
to
do
so
like
having
hundreds
of
them
I
mean
it's
also
hundreds
of
like
an
h1.
Before
that
we
have
to
roll
out.
It
has
been
an
interesting
discussion
ourselves.
A
Well,
if
you
want
to
jump
in
and
see
if
you
wanna
I
just
help
out-
or
you
know
a
flesh
out
some
of
the
interesting
areas
to
kind
of
take
action
on,
but
it's
also
something
that
with
being
a
doubling
with
recently.
So
that's
it
for
me,
hoping
to
catch
up
with
you
on
social
media
or
on
OJ's
rebel.
Why.