Package Vulnerability Management & Reporting Collaboration Space Kick-Off

# Package Vulnerability Management & Reporting Collaboration Space Kick-Off > Date: Tuesday May 11th, 2021 ### Attendees - Wesley Todd (@wesleytodd) - Darcy Clarke (@darcyclarke) - Dominykas Blyžė (@dominykas) - Michael Dawson (@mhdawson) - Jordan Harband (@ljharb) - Zbigniew Tenerowicz (@naugtur) - Robin Ginn () - Tim Branyen (@tbranyen) ### Agenda 1. [**Code of Conduct** Acknowledgement](https://github.com/openjs-foundation/pkg-vuln-collab-space/blob/darcyclarke/initial-commit/CODE_OF_CONDUCT.md) 1. Issue with Agenda - https://github.com/openjs-foundation/pkg-vuln-collab-space/issues/2 1. **Introductions** 1. Everybody gave a short introduction to themselves and interest in the group. 1. Quick recap of the scope/proposal 1. Outline plan for the session 1. Assign action items and schedule next meeting ### Notes #### 4. On Scope & Proposal - @mhdawson high-level overview on what a Collab Space is: - exist for groups that want to get together but aren't attributed to a single project - bring together folks that might not be regular members of the CPC or of a project - can work on products/projects that are useful to the wider ecosystem - foundation can offer support to these groups - meant to provide a vehicle for various constituents/special interest groups to come together - @wesleytodd - reporting, tooling - @darcyclarke - Where should this live has been a question - These issues span more than just node or npm, so the foundation seems like a good fit #### 5. Planning for OpenJS Session - @wesleytodd - on size... we're okay w/ having `n` people on the panel - loose scheduling on the Q&A portion - We will try to schedule 2-3 times for differnt regions - @darcyclarke - we want to be careful of calling folks out, we are not pointing fingers - @naugtur - if we focus on redos, that is relatable and not focused on anyone in particular - @mhdawson - another example is having to do a release despite it not applying --- ### Proposed OpenJS Agenda: ```markdown= # OpenJS World Community Session - 30 min > Day/Time: ### Agenda 1. **Introductions** 2. Wesley Todd (@wesleytodd) 3. Darcy Clarke (@darcyclarke) 3. **Talk about proposal & intent** (ie. Who/What/Why/How) - Scope - Constituents - Collaborators 4. **Talk about the problem space** - Types of CVEs (ex. ReDOS, prorotype pollution) - For security researchers - Do nothing (ignore) - Create a CVE - For maintainers - Do nothing (ignore) - Fix the "problem" - Cut a new release - For end-users/consumers - Do nothing (ignore) - Bug the maintainer - Fix the "problem" & submit a PR - Existing tools/actions to take by researchers, maintainers & end-users - Case Studies/Testimonials: - End-users: `npm-audit-resolver` project (@zb) - Maintainers: (@ljharb / @bcoe)? - Security Researchers: ... 5. **Next Steps & Actions** 6. **Interesting? Come & Join Us!** ``` --- ### Actions - [x] @robin to circle back to ensure the talk is scheduled properly & Wes/Darcy have given proper information for the website - [ ] @wesleytodd to help coordinate/schedule Q&A timing for best coverage across timezones (OpenJS World) - [ ] @darcyclarke to create a PR for the agenda proposal for the OpenJS World Panel Session - [ ] @everyone canvas for other attendees/participants from diverse backgrounds for the OpenJS World session - [ ] @wesleytodd to help get three testimonials/case studies - [ ] @darcyclarke & @wesleytodd to edit down video/case studies - [ ] @darcyclarke & @wesleytodd to circle back w/ Racheal about the the blog post - [ ] 🗓 @wesleytodd **Determine meeting cadence before conference!**