nodejs: add 2023-03 update report

alpha/engagements/2023/node.js/update-2023-03.md

@@ -0,0 +1,72 @@
+# Update 2023-03
+
+The following update are according to the [Security Support Role](./security-support-role.md) document.
+
+Each section points to at least one item to the priority list defined by Security Support Role document.
+
+## 1) Fix and Triage Security Issues
+
+* 5 HackerOne reports were opened in March 2023.
+  * H1-1897616 - Closed as N/A
+  * H1-1889579 - Closed as Informative
+  * H1-1917390 - Assessing
+  * H1-1927480 - Assessing
+  * H1-1933247 - Assessing
+
+## 3) Node.js Security WG Initiatives
+
+* Great progress in the Automation of Node.js dependencies https://github.com/nodejs/security-wg/issues/828
+
+* Permission Model
+  * An issue to discuss the next steps of this feature was created: [Permission Model Roadmap](https://github.com/nodejs/security-wg/issues/898)
+  * Several improvements arrived:
+    - [#46833](https://github.com/nodejs/node/pull/46833)
+    - [#46975](https://github.com/nodejs/node/pull/46975)
+    - [#47030](https://github.com/nodejs/node/pull/47030)
+    - [#47091](https://github.com/nodejs/node/pull/47091)
+    - [#47095](https://github.com/nodejs/node/pull/47095)
+    - [#46977](https://github.com/nodejs/node/pull/46977)
+    - [#46859](https://github.com/nodejs/node/pull/46859)
+    - [#47352](https://github.com/nodejs/node/pull/47352)
+  * We've decided to drop the `process.permission.deny` to reduce the surface of an attack vector
+    - This feature will be discussed in the [Permission Model Roadmap](https://github.com/nodejs/security-wg/issues/898)
+  * We've decided to release the permission model with the upcoming v20 release.
+
+* OpenSSF Scorecard
+  * Very good progress
+  * Node.js, Undici, and security-wg are fully monitored now
+  * We're woring to increase the security-wg and Node.js scorecard
+  * An tracking issue was created to review the score on each security-wg session: https://github.com/nodejs/security-wg/issues/937
+
+## 4) Node.js Security Sustainability
+
+* 3 New contributors to Node.js and Security-WG. They have been very active lately
+* The last session of March was chaired by a Security-WG member
+* Excellent attendance in the meetings and in the tasks
+* StepSecurity is helping in the OSSF Scorecard initiative
+* Rafael did a presentation about the Security side of Node.js in Florence, Italy, and got a very good feedback
+(including 2 new contributors) - Talk: https://www.youtube.com/watch?v=Y1jiF430k2Q&ab_channel=Schr%C3%B6dingerHat
+
+## 5) Improving Security Processes
+
+* Adjusted the release policy cutoff - https://github.com/nodejs/node/pull/47149
+
+## 6) Ecosystem Adoption
+
+* @fastify/session - this was needed for a security patch - https://github.com/fastify/session/pull/189
+* New release of `is-my-node-vulnerable` v1.3.0 - https://github.com/RafaelGSS/is-my-node-vulnerable/releases/tag/v1.3.0
+* 3 Upcoming security fixes for @fastify/passport and @fastify/csrf-protection
+
+## WG Meetings
+
+Meetings of the Working Group in which Rafael participated
+
+* Security WG
+  * 02/03 - https://github.com/nodejs/security-wg/issues/897
+  * 16/03 - https://github.com/nodejs/security-wg/issues/905
+  * 30/03 - https://github.com/nodejs/security-wg/issues/932
+* TSC
+  * 15/03 - https://github.com/nodejs/TSC/issues/1355
+* Release WG
+  * 09/03 - https://github.com/nodejs/Release/issues/830
+