Track adoption of potential OpenJSF Security Program

[achrinza]

The OpenJS Foundation (OpenJSF) (and previously Node.js Foundation) has indicated plans of creating a new security program for the Node.js ecosystem, scoped more narrowly to the OpenJSF projects.

The previous Node.js Third-Party Ecosystem Security Program that was managed by the Node.js Security Working Group was scoped to:

• Managed a HackerOne Program with bounties for select NPM packages
• Managed a vulnerability database for NPM packages (initially donated by NSP)

Although it's not clear at this moment what this new program would entail, it seems like it might be a lift-and-shift, but with a focus on OpenJSF projects.

This issue is to track this work of the OpenJSF and to hold discussions on its applicability to LoopBack.

see: openjs-foundation/cross-project-council#826 (comment)
see: nodejs/security-wg#662 (comment)
see: nodejs/security-wg#494 (comment)
see: aboutcode-org/vulnerablecode#488 (comment)

[achrinza]

OpenJSF is becoming a CNA. Summary:

• CVE Challenges for OpenJS Projects  openjs-foundation/security-collab-space#102
• OpenJS Projects and CVE Numbering Authorities openjs-foundation/security-collab-space#104

Currently we are using GitHub as a CNA (and IBM before that). Switching to OpenJSF would mean:

1. We have closer line of support with publishing and updating advisories,
   This is the recommendation by MITRE themselves that we should be using a CNA that is as closely scoped to our project as possible

2. We can dispute CVEs of our project published through other CNAs
   IIRC this is why Node.js has their own CNA even when they publish CVEs via HackerOne

As OpenJSF will also have their own security advisories database, we would need a playbook for generating and syncing any new advisories from our database to theirs:

• Add Security page to www.openjsf.org openjs-foundation/security-collab-space#239
• Create CNA GitHub webpage repo and DNS CNAME openjs-foundation/security-collab-space#238