Security Responsibilities for Emeritus Projects

[UlisesGascon]

Following up on issue #286, I’ve been thinking about the current security expectations for projects in the Emeritus category (especially now that they technically fall under our CNA).

Some of these projects are archived or frozen, while others still apply patches occasionally (e.g., requirejs/requirejs@945ae6b).

To open the discussion:

• Are Emeritus projects expected to continue managing CVEs (e.g., creation, dispute, triage)?
• Are they expected to produce and release security patches?

[ljharb]

The CNA's scope is "all projects" - project status is irrelevant.

Just because there's a CNA doesn't mean anything ever needs to be patched, in any project - we'd just issue a CVE without a fix.

[ctcpip]

notes from today's sec mtg:

• the archive stage means projects are no longer developing new features nor patching security issues
• archived projects, if they had a security reporting mechanism, it is likely no longer active
  • how will we get reports?
  • could be to the openjs security/cna email
  • could be via other routes
• group agreed to handle on case-by-case basis because we don't want to promise that we will necessarily investigate, review, and disclose everything that comes in
  • will assess based on the project, vuln details, severity, etc.
  • may be hard to reproduce, confirm
• CNA has no requirement to publish a CVE, but has right of first refusal
  • if we cannot or do not wish to investigate/confirm a vuln, we must accept that others may publish CVEs since we refused to do so