From 57df1e6c62e0dbb0cadd59b48ee1c7266fe6f040 Mon Sep 17 00:00:00 2001
From: Sam Roberts <vieuxtech@gmail.com>
Date: Thu, 4 Jul 2019 14:41:33 -0700
Subject: [PATCH] process: update Node.js sec membership policy

The policy was spread across two files, had mild contradictions (one doc
said membership was confirmed by the TSC, the other said by it was
confirmed by the current members), referenced the unused github issue
tracker (HackerOne is used now), and had lots of mention of the
@nodejs/security team, which does not in itself have access to ANY
private issues or patches (I removed those refs).

The policy is essentially unchanged, just more readable, and in one file
so it shouldn't drift out of sync as easily.
---
 README.md                                    |   3 +-
 processes/security_team_members.md           | 136 ++++++++-----------
 processes/security_team_membership_policy.md |  33 -----
 3 files changed, 60 insertions(+), 112 deletions(-)
 delete mode 100644 processes/security_team_membership_policy.md

diff --git a/README.md b/README.md
index 0ea06964d..d63d42143 100644
--- a/README.md
+++ b/README.md
@@ -138,7 +138,7 @@ undisclosed vulnerabilities in any of the Node.js programs on HackerOne
   Managed by the [Ecosystem Triage Team][].
 
 * [*Node.js Vulnerabilities*](https://hackerone.com/nodejs): Managed by the
-  @nodejs/security team.
+  [Node.js Triage Team][].
 
 # Code of Conduct
 
@@ -150,3 +150,4 @@ The [Node.js Moderation Policy](https://github.com/nodejs/admin/blob/master/Mode
 
 [Node.js TSC]: https://github.com/nodejs/TSC
 [Ecosystem Triage Team]: processes/third_party_vuln_process.md#members
+[Node.js Triage Team]: processes/security_team_members.md#team-that-triages-security-reports-against-node-core
diff --git a/processes/security_team_members.md b/processes/security_team_members.md
index 95ab5e0ec..21f7610ad 100644
--- a/processes/security_team_members.md
+++ b/processes/security_team_members.md
@@ -7,94 +7,74 @@ yet been disclosed publicly, including the existence of issues, expectations of
 upcoming releases, and patching of any issues other than in the process of their
 work as a member of the security team.
 
-Membership on the security teams can be requested via an issue in the TSC repo,
-and must be approved by current team members.
+## Node.js Security Team Membership Policy
 
-Members of the security teams should indicate that they accept the privacy
-policies by PRing their acceptance to this file.
+The Node.js Security Team has access to security-sensitive issues and patches
+that aren't appropriate for public availability.
 
-## Team that triages security reports against node core
+The policy for inclusion is as follows:
 
-- @bnoordhuis - **Ben Noordhuis**
-- @cjihrig - **Colin Ihrig**
-- @indutny - **Fedor Indutny**
-- @jasnell - **James M Snell**
-- @mcollina - **Matteo Colina**
-- @mhdawson - **Michael Dawson**
-- @MylesBorins - **Myles Borins**
-- @rvagg - **Rod Vagg**
-- @vdeturckheim - **Vladimir de Turckheim**
+1. All members of @nodejs/TSC have access to private security reports and
+   private patches.
+2. Members of the [release team](https://github.com/nodejs/node#release-team)
+   have access to private security patches in order to produce releases.
+3. On a case-by-case basis, individuals outside the Technical Steering
+   Committee are invited by the TSC to have access to private security reports
+   or private patches so that their expertise can be applied to an issue or
+   patch. This access may be temporary or permanent, as decided by the TSC.
 
-### Emeritus
+Membership on the security teams can be requested via an issue in the TSC repo.
 
-- @jasnell - **James M Snell**
-- @shigeki - **Shigeki Ohtsu**
+## Team that triages security reports against Node.js
 
-List is from ["security" alias](https://github.com/nodejs/email/blob/master/iojs.org/aliases.json).
+The [TSC](https://github.com/nodejs/node#tsc-technical-steering-committee)
+are all members of the Triage Team.
 
-## Team with access to security issues
+These non-TSC and TSC Emeriti are Triage Team members:
+- [bnoordhuis](https://github.com/bnoordhuis) - **Ben Noordhuis**
+* [indutny](https://github.com/indutny) - **Fedor Indutny**
+* [rvagg](https://github.com/rvagg) - **Rod Vagg**
+- [vdeturckheim](https://github.com/vdeturckheim) - **Vladimir de Turckheim**
 
-- @ChALkeR - **Сковорода Никита Андреевич**
-- @Fishrock123 - **Jeremiah Senkpiel**
-- @MylesBorins - **Myles Borins**
-- @Trott - **Rich Trott**
-- @addaleax - **Anna Henningsen**
-- @bnoordhuis - **Ben Noordhuis**
-- @cjihrig - **Colin Ihrig**
-- @dougwilson - **Douglas Wilson**
-- @ejratl - **Emily Ratliff**
-- @evanlucas - **Evan Lucas**
-- @evilpacket - **Adam Baldwin**
-- @grnd - **Danny Grander**
-- @indutny - **Fedor Indutny**
-- @jasnell - **James M Snell**
-- @jbergstroem - **Johan Bergström**
-- @joaocgreis - **João Reis**
-- @joshgav - **Josh Gavant**
-- @mhdawson - **Michael Dawson**
-- @mscdex - **Brian White**
-- @ofrobots - **Ali Ijaz Sheikh**
-- @rvagg - **Rod Vagg**
-- @saghul - **Saúl Ibarra Corretgé**
-- @sam-github - **Sam Roberts**
-- @shigeki - **Shigeki Ohtsu**
-- @targos - **Michaël Zasso**
-- @thefourtheye - **Sakthipriyan Vairamani**
-- @trevnorris - **Trevor Norris**
-
-List is from [nodejs/teams/security](https://github.com/orgs/nodejs/teams/security/members).
+List is from the [member page](https://hackerone.com/nodejs/team_members) for
+the Node.js program on HackerOne.
 
 ## Team with access to private security patches
 
-- @addaleax     Anna Henningsen
-- @bnoordhuis	Ben Noordhuis
-- @ChALkeR	Сковорода Никита Андреевич
-- @cjihrig	Colin Ihrig
-- @dougwilson	Douglas Wilson
-- @evanlucas	Evan Lucas
-- @evilpacket	Adam Baldwin
-- @Fishrock123	Jeremiah Senkpiel
-- @hackygolucky	Tracy
-- @indutny	Fedor Indutny
-- @jasnell	James M Snell
-- @jbergstroem	Johan Bergström
-- @joaocgreis	João Reis
-- @joshgav	Josh Gavant
-- @mhdawson	Michael Dawson
-- @mrhinkle	Mark Hinkle
-- @MylesBorins	Myles Borins
-- @ofrobots	Ali Ijaz Sheikh
-- @rvagg	Rod Vagg
-- @saghul	Saúl Ibarra Corretgé
-- @sam-github	Sam Roberts
-- @targos	Michaël Zasso
-- @thefourtheye	Sakthipriyan Vairamani
-- @Trott	Rich Trott
+<!-- ncu-team-sync.team(nodejs-private/security) -->
 
-List is from
-[orgs/nodejs-private/people](https://github.com/orgs/nodejs-private/people),
-who have access to
-[nodejs-private/node-private](https://github.com/nodejs-private/node-private).
+- [@addaleax](https://github.com/addaleax) - Anna Henningsen
+- [@apapirovski](https://github.com/apapirovski) - Anatoli Papirovski
+- [@BethGriggs](https://github.com/BethGriggs) - Bethany Nicolle Griggs
+- [@bnoordhuis](https://github.com/bnoordhuis) - Ben Noordhuis
+- [@BridgeAR](https://github.com/BridgeAR) - Ruben Bridgewater
+- [@ChALkeR](https://github.com/ChALkeR) - Сковорода Никита Андреевич
+- [@cjihrig](https://github.com/cjihrig) - Colin Ihrig
+- [@codebytere](https://github.com/codebytere) - Shelley Vohr
+- [@danbev](https://github.com/danbev) - Daniel Bevenius
+- [@dougwilson](https://github.com/dougwilson) - Douglas Wilson
+- [@evanlucas](https://github.com/evanlucas) - Evan Lucas
+- [@evilpacket](https://github.com/evilpacket) - Adam Baldwin
+- [@fhinkel](https://github.com/fhinkel) - F. Hinkelmann
+- [@Fishrock123](https://github.com/Fishrock123) - Jeremiah Senkpiel
+- [@gabrielschulhof](https://github.com/gabrielschulhof) - Gabriel Schulhof
+- [@gibfahn](https://github.com/gibfahn) - Gibson Fahnestock
+- [@gireeshpunathil](https://github.com/gireeshpunathil) - Gireesh Punathil
+- [@indutny](https://github.com/indutny) - Fedor Indutny
+- [@jasnell](https://github.com/jasnell) - James M Snell
+- [@jbergstroem](https://github.com/jbergstroem) - Johan Bergström
+- [@joaocgreis](https://github.com/joaocgreis) - João Reis
+- [@joyeecheung](https://github.com/joyeecheung) - Joyee Cheung
+- [@mcollina](https://github.com/mcollina) - Matteo Collina
+- [@mhdawson](https://github.com/mhdawson) - Michael Dawson
+- [@MylesBorins](https://github.com/MylesBorins) - Myles Borins
+- [@rvagg](https://github.com/rvagg) - Rod Vagg
+- [@saghul](https://github.com/saghul) - Saúl Ibarra Corretgé
+- [@sam-github](https://github.com/sam-github) - Sam Roberts
+- [@shigeki](https://github.com/shigeki) - Shigeki Ohtsu
+- [@targos](https://github.com/targos) - Michaël Zasso
+- [@thefourtheye](https://github.com/thefourtheye) - Sakthipriyan Vairamani
+- [@Trott](https://github.com/Trott) - Rich Trott
+- [@vdeturckheim](https://github.com/vdeturckheim) - Vladimir de Turckheim
 
-Every member of the team with access to security issues should have access to
-the private security patches as well.
+<!-- ncu-team-sync end -->
diff --git a/processes/security_team_membership_policy.md b/processes/security_team_membership_policy.md
deleted file mode 100644
index 2d05c3f0d..000000000
--- a/processes/security_team_membership_policy.md
+++ /dev/null
@@ -1,33 +0,0 @@
-# Node.js Security Team Membership Policy
-
-The Node.js Security Team (@nodejs/security) has
-access to security-sensitive issues and patches that aren't appropriate for
-public availability.
-
-> Note: Due to implementation details and a bit of human error, the list of
-> people with access to the security patches isn't 100% in line with the
-> @nodejs/security membership. See the [membership list](./security_team_members.md)
-> for details. This situation is intended to be corrected in the near future.
-
-This is different than the security triage team, which is defined by the
-[`security@nodejs.org` email alias](https://github.com/nodejs/email/blob/master/iojs.org/aliases.json).
-Inclusion in that group is on a volunteer basis, upon approval by the Technical
-Steering Committee (TSC).
-
-The policy for inclusion on the @nodejs/security is as follows:
-
-1. All members of @nodejs/TSC are members of @nodejs/security.
-2. On a case-by-case basis, individuals outside the Technical Steering Committee
-   are invited by the TSC to join @nodejs/security so that their expertise can
-   be applied to an issue or patch. Once their assistance is no longer required
-   for a particular issue or patch, they are removed from the team.
-3. Members of the [release team](https://github.com/nodejs/node#release-team)
-   are also members of @nodejs/security, as they need access to the patches in
-   order to produce releases.
-4. Members of the security triage team are members of @nodejs/security.
-
-Members of the security team have access to:
-
-* The security repo where issues are discussed.
-* The nodejs-private GitHub organization which is used as part of the process
-  for creating security releases.