security-wg: Missing PGP key

I just realized that there is no regular way to report a security issue in a safe way since there is no PGP key for security@nodejs.org. Using plain text to report a security issue is a no go. E-Mails are always unsafe in their nature when not used with PGP.

This is really a bad sign out of my perspective that a “secure” way is actually not secure at all… Please fix that ASAP and also update https://nodejs.org/en/security/.

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Reactions: 3
  • Comments: 19 (19 by maintainers)

Most upvoted comments

To me it still feels wrong that we have no PGP key. Using a ticket system like OTRS with accounts would allow to transparently handle the decryption. If someone of the admin teams leaves, it would be possible to revoke and create the new key transparently as well.

+1
BridgeAR on Dec 3, 2018
Read more comments on GitHub
← performance: Safely ignore error stack trace
snap: Failed publishes of all builds →