Create a single #security-help channel for OpenJS projects (Alpha-Omega support)

[RafaelGSS]

As we discussed in one of our Alpha-Omega syncs, I want to set up one place where any OpenJS project can ask for security help—process questions, fixes, disclosure steps, CVE requests, whatever. I’m fine being the first point of contact and looping others in when it makes sense.

We were thinking about poking individual maintainers to see if they need help. But, in my opinion, that feels invasive, and it's easy to miss - even though it doesn’t scale — we end up guessing who needs support. Most projects don’t need another best-practices doc; they need practical guidance like “how do we patch and release this?” An open line lets maintainers raise their hand, drop context once, and get a fast, direct answer. It also means we spend our time where it helps.

The proposal is simple: create a #security-help channel in the OpenJS Slack, open to project maintainers. For private or embargoed reports, we can point folks to an email alias or just say “open a GitHub security advisory and ping me.” When someone asks for help, they include the project/repo, affected versions (if known), a short description, and what they need—review, patch plan, CVE, etc. I’ll monitor and answer, and bring in the Security WG or Alpha-Omega folks when needed. Repeated questions can go into a small FAQ.

What do you think?

[UlisesGascon]

Huge +1. I think that is great idea!

For private or embargoed reports, we can point folks to an email alias or just say “open a GitHub security advisory and ping me.”...

AFAIK not all the project have this feature enabled, but we can use this repo advisory as fallback 👍

[wesleytodd]

In addition to the slack channel, it would be great to curate a list of folks who have volunteered or are paid to be part of this group. So maybe additionally we can formalize this group and the projects which can be used on github private issues/cve/triaging.