Member of the Node.js Security WG

The Ecosystem Security Working Group works to improve the security of the Node.js Ecosystem.

Responsibilities include:

Work with the Node Security Platform to bring community vulnerability data into the foundation as a shared asset.
Ensure the vulnerability data is updated in an efficient and timely manner. For example, ensuring there are well-documented processes for reporting vulnerabilities in community modules.
Maintain and make available data on disclosed security vulnerabilities in:
- The core Node.js project
- Other projects maintained by the Node.js Foundation technical group
- The external Node.js open source ecosystem
Promote the improvement of security practices within the Node.js ecosystem.
Facilitate and promote the expansion of a healthy security service and product provider ecosystem.

My participation

Joined the Node.js Security WG in may'22
Coauthored the Node.js Official Security Best Practices and keep it updated
Coauthored the Node.js Official Threat Model
Helped to implement the OpenSFF Scorecard in the Node.js Organization
Published blog post: You should use the OpenSSF Scorecard
Created the Github Action: OpenSSF Scorecard Monitor to enable an easy way to monitor the score of all the repositories in the org and dependencies. See report
Added pipelines to manage the OpenSFF Scorecard in the Node.js Security WG
Ported the project is-my-node-vulnerable to Github Actions
Improve the OpenSFF Scorecard scoring across the Node.js Organization. Example
Review and maintain The OpenSSF CII-Best-Practices for Node.js
- Achieve the Silver level
- Achieve the Golden level
Actively participating in multiple initiatives: Pull requests, commits, issues