Skip to content

Node.js Maintainers Threat Model: Access per Group table #1618

@RafaelGSS

Description

@RafaelGSS

Hi folks, as part of Node.js Security initiative we have created a table of access per group based on available roles under Node.js org. We'd like to get some feedback/review. Feel free to edit the table if you think something is wrong (I can read the history and update our hackmd table).

The idea is to have a table of permissions and then look at the threats each role has and its impact on the nodejs organization.

Access per Group

Levels: (-) none, (r) read, (w) write, (a) admin/owner (inspiration from https://mason.gmu.edu/~montecin/UNIXpermiss.htm)

Additional notes:

  • While some teams can have access to a resource, like the secrets, they might have different access level internally based on sub-groups.
  • Some individuals and team have access such write in different GitHub repositories in the org, like Working groups or subteams.

Note

¹ - All repositories with code that get published or has some impact on nodejs/core
² - Releasers has access to run CI during CI Embargo (Security Release)

Resource External people Contributors - Core/Triagers/WG Build - Test/Infra/Admin Admin - TSC/Releasers/Moderation Security Stewards/Triagers/External GitHub - Actions/Plugins
HackerOne - --- --- aw- www --
MITRE - --- --- a-- w-- --
private/node-private - --- www aw- w-w --
private/security-release - --- --- a-- ww- --
private/secrets - --- www a-- --- --
nodejs/node r wrr rrw awa rrr wr
nodejs/deps¹ r rrr rrw arr rrr wr
nodejs/build (GH) r rrr rrw awa rrr wr
nodejs/node-core-utils r rrr rrw awa rrr wr
npm account - - -a- a-- --- --
Jenkins CI - test r ww- wwa -w²- --- ww
Jenkins CI - release - --- -ww -w- --- --
Infra - test - w-- aaa ww- -w- ww
Infra - release - --- -ww -w- --- --
Build infra - --- -a- --- --- --
Website Infra - --- -a- a-- --- --
Youtube - --w --- a-- --- --
Zoom r rrw --- a-- --- --
1Password - --r --- a-- --- --
Social media accounts - --- --- --- --- --
Email (nodejs-sec) r rrr rrr awr wrr rr
Email (io.js aliases) r --- -a- w-- --- --

Repos under nodejs which do not include code, are not covered as they cannot lead to the threats listed.
pkgjs.org is excluded as it does not include code/repos that make it into Node.js binaries

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions