Submit application for GitHub Secure Open Source Fund.

[mhdawson]

OpenJS projects are pre-approved. We need to apply.

https://resources.github.com/github-secure-open-source-fund/

use OpenJS for referral

Form says application ends today, but it is being held open for OpenJS projects.

[mcollina]

The question is who will do the mandatory training :). Have we got any volunteer?

[BridgeAR]

I think it would be great to apply as small team of 3 as described in the application and to have at least one active person from the @nodejs/security-wg and one from the @nodejs/tsc.

[mhdawson]

We discussed in the meeting today and there was general agreement that we should apply. This is the approach that I think we agreed to:

1. We will try to find up to three collaborators who are interested in participating. Ideally 1 already active in the security WG team and 2 who might have an interest to learn more about security, participate in the training and express an interest in being more active in the security work of the project going forward.
2. For people who are not funded to work on security in the project and who can take $, we will pass on the $ we receive from the program to those who participate based on their contribution. We will have a total of something like $9300 (10k, minus the 7% fee if Foundation manages the funds for the project). Some of that is for participating in the training and some for later checkpoints.
3. If we don't get any other interested collaborators, @RafaelGSS can act as our fallback taking some of the 50% of his time that is funded by Alpha Omega to support security in the Node.js project this year. The hope is that since the training is less than 5 hours a week for 3 weeks that it would be a small enough part of the 50% time he has for Node.js. Similarly the check-in/status report would be a smaller number of hours twice in the rest of the year.
4. To find out if there are other interested collaborators we will:
   • at mention nodejs core collaborators in this issue, with a deadline of tomorrow for expressing interest
   • at mention the security working group in this issue, with a deadline of tomorrow for expressing interest
     based on the response we will then decide how to proceed.

[mhdawson]

@nodejs/collaborators if you are interested/can commit to being part of the team that will fulfill the requirements of the program please comment in this issue.

@nodejs/security-wg if you are interested/can commit to being part of the team that will fulfill the requirements of the program please comment in this issue.

The deadline to express interest is Thursday Jan 9th at 5 ET as we need to submit the application on Friday.

[metcoder95]

Hey! 👋
I believe I'm not part of the nodejs/collaborators group as is tho (I'm with nodejs/undici), but I'm happy to commit of being part of the team; also go further to participate in these security efforts.

[mhdawson]

@metcoder95 thanks for volunteering, I'll talk to @RafaelGSS about how we submit the application

[RafaelGSS]

Just applied. I have included @metcoder95 to take the training with me.

[mhdawson]

@RafaelGSS thanks for submitting and @metcoder95 thanks for volunteering, looking forward to Node.js participating in the program.

[MrJithil]

Any chance of inclusions after the deadlines? If yes, please count me.