January was busy with HackerOne reports, vulnerability fixes for OpenSSL and Node.js and security updates due to the upcoming Node.js security release.
In 2022, we started receiving assistance from the Open Source Security Foundation (OpenSSF) Project Alpha-Omega grant to support more resources to help with Node.js security. The grant has been renewed at just under $300,000 for the calendar year. OpenJS Foundation works with NearForm to fulfill the grant goals.
With so much accomplished last year, we look forward to further improving Node.js security in 2023. Thank you to OpenSSF for their continued support.
Fixing and Triaging 21 Issues
There were 5 new HackerOne reports in January along with 8 vulnerabilities to fix from OpenSSL, and 8 for Node.js due to the upcoming security release. The improved Threat Model is helping to assess priority.
New Node.js CVE Database
Security Working Group initiatives have been making progress. CVEs are now stored in a database that is accessible by all. CVEs had been stored in the Security Working Group repo, but the repo was not perfectly up-to-date. The Node.js database fixes this issue and can be used by vendors.
Google Open Source Security Team (GOSST) Participation
The Google Open Source Security Team (GOSST) participated in the January 19, 2023, Security Working Group meeting. GOSST contributes to OpenSSF Scorecards, and they brought a lot of helpful discussion topics. OpenSSF Scorecards are a cross-industry initiative to improve open source software security, with a focus on metrics, tooling, best practices, developer identity validation and vulnerability disclosures best practices.
Expanded Ecosystem Focus
Ecosystem adoption is a key component to Node.js security. We are finalizing the Permission Model, and will be looking to increase participation on GitHub when it is finalized and ready for use. The end goal is a smooth process for installing a package with the correct tag.
Most recently, we reviewed and fixed a bug for Fastify that will be released with the Node.js security release. We also did fixes for Undici, an HTTP/1.1 client.
Early Work on is-my-node-vulnerable
We created a package called is-my-node-vulnerable to make it easy to test your own implementation of Node.js. It helps ensure the security of your Node.js installation by checking for known vulnerabilities. It compares the version of Node.js you have installed (process.version) to the Node.js Security Database and alerts you if a vulnerability is found. So far, we are getting good feedback from the community. We are currently thinking about how to show to vendors and how to get more involvement.
We had one Security Working Group meeting in December and three Technical Steering Committee meetings. https://github.com/nodejs/security-wg