Merge pull request #198 from ossf/add-nodejs-july-update

doc: add Node.js July update

alpha/engagements/2023/node.js/update-2023-07.md

@@ -0,0 +1,90 @@
+# Update 2023-07
+
+The following update is according to the [Security Support Role](./security-support-role.md) document.
+
+Each section points to at least one item on the priority list defined by the Security Support Role document.
+
+## 1) Fix and Triage Security Issues
+
+  * TODO: Waiting H1 digest
+  * 7 fixes ready + 3 backports for the next security release
+  * Discussions about Node.js policy mechanism
+  * Final action to the assessment against experimental features
+
+## 2) Support for Security Releases
+
+* Rafael taking lead in the Next Security Release - https://github.com/nodejs/node/pull/48569
+
+* Security Release initial work
+  * All the processes described by [security release process](https://github.com/RafaelGSS/node/blob/sec-release-stewards-update/doc/contributing/security-release-process.md) were done.
+  * Reports evaluated
+  * CVEs were requested
+  * Sec Release announcement (pre/pos)
+
+* The Security Release will include updates to OpenSSL
+
+* Regular releases
+  * v20.4.0 (Rafael)
+  * v18.17.0
+  * v20.5.0
+
+## 3) Node.js Security WG Initiatives
+
+2023 Security Initiatives - https://github.com/nodejs/security-wg#current-initiatives
+
+Permission Model:
+  * Re-evaluation of Permission Model
+    * Research in other runtimes and languages.
+  * Add permission model debug - https://github.com/nodejs/node/pull/48677
+  * Add support to process.report.writeReport and v8 heapSnapshot - https://github.com/nodejs/node/pull/48564
+  * Restrict all permission model access when --experimental-permission is passed - https://github.com/nodejs/node/pull/48907
+  * Add Permission Model startup benchmark - https://github.com/nodejs/node/pull/48905/
+  * Fix Permission Model usage on Node.js REPL - https://github.com/nodejs/node/pull/48920
+
+* Assessment against Best Practices
+  * Continuos improvement on every Security WG Call
+  * CII-Best-Practices
+    * Entry Level - Done
+    * Silver Level - 1 Question remaining - Waiting OSSF Team
+    * https://github.com/nodejs/security-wg/issues/953
+
+* Automate Security Release process
+  * PR MERGED to automate the release proposal for security releases
+    * https://github.com/nodejs/node-core-utils/pull/665
+  * PR Created to automate the Next Security Release issue
+    * This PR automates the process of
+    * Generating Next Security Release issue
+    * Collect H1 Reports
+    * https://github.com/nodejs/node-core-utils/pull/715
+  * Drop `<b>` in release tags - https://github.com/nodejs/node/pull/48649
+  * Mention git node release - https://github.com/nodejs/node/pull/48644
+  * Fixes to git node release
+    * https://github.com/nodejs/node-core-utils/pull/711
+    * https://github.com/nodejs/node-core-utils/pull/712
+
+## 4) Node.js Security Sustainability
+
+* Speaking Engagments:
+  * NodeBR - Experience (July 22th) - Done
+  * The Journey of the Node.js Permisison Model - NodeConf (Nov 6) - Accepted
+  * Open Source Experience Paris (Dec 6) - Accepted
+  * Node.js Collab Summit - Applied
+
+## 5) Improving Security Processes
+
+* Node.js major release (changelog) discussion - https://github.com/nodejs/TSC/issues/1371
+* doc: remove nodejs/tweet mention - https://github.com/nodejs/node/pull/48769
+* CVSS Calculator considering experimental features - https://github.com/nodejs/node/pull/48824
+* OSSF Funding Work Description - https://github.com/nodejs/security-wg/issues/860#issuecomment-1636464514
+* [In Progress] Clarify Policy expectations - https://github.com/nodejs/node/pull/48947
+
+## WG Meetings
+
+TSC
+  * 26/07
+  * 12/07
+Security WG
+  * 06/07
+  * 20/07
+Release WG
+  * 27/07 - Possibly new release (Ulises Gascon)