doc: describe what security issues are

PR-URL: https://github.com/nodejs/node/pull/14485 Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
2017-07-25 12:52:49 -07:00 · 2017-07-25 12:52:49 -07:00 · 7540821fb5
commit 7540821fb5
parent c8a389e19f
1 changed files with 45 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -173,6 +173,51 @@ Your email will be acknowledged within 24 hours, and you’ll receive a more
 detailed response to your email within 48 hours indicating the next steps in
 handling your report.

+There are no hard and fast rules to determine if a bug is worth reporting as
+a security issue. The general rule is any issue worth reporting
+must allow an attacker to compromise the confidentiality, integrity
+or availability of the Node.js application or its system for which the attacker
+does not already have the capability.
+
+To illustrate the point, here are some examples of past issues and what the
+Security Reponse Team thinks of them. When in doubt, however, please do send
+us a report nonetheless.
+
+
+### Public disclosure preferred
+
+- [#14519](https://github.com/nodejs/node/issues/14519): _Internal domain
+  function can be used to cause segfaults_. Causing program termination using
+  either the public Javascript APIs or the private bindings layer APIs requires
+  the ability to execute arbitrary Javascript code, which is already the highest
+  level of privilege possible.
+
+- [#12141](https://github.com/nodejs/node/pull/12141): _buffer: zero fill
+  Buffer(num) by default_. The buffer constructor behaviour was documented,
+  but found to be prone to [mis-use](https://snyk.io/blog/exploiting-buffer/).
+  It has since been changed, but despite much debate, was not considered misuse
+  prone enough to justify fixing in older release lines and breaking our
+  API stability contract.
+
+### Private disclosure preferred
+
+- [CVE-2016-7099](https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/):
+  _Fix invalid wildcard certificate validation check_. This is a high severity
+  defect that would allow a malicious TLS server to serve an invalid wildcard
+  certificate for its hostname and be improperly validated by a Node.js client.
+
+- [#5507](https://github.com/nodejs/node/pull/5507): _Fix a defect that makes
+  the CacheBleed Attack possible_. Many, though not all, OpenSSL vulnerabilities
+  in the TLS/SSL protocols also effect Node.js.
+
+- [CVE-2016-2216](https://nodejs.org/en/blog/vulnerability/february-2016-security-releases/):
+  _Fix defects in HTTP header parsing for requests and responses that can allow
+  response splitting_. While the impact of this vulnerability is application and
+  network dependent, it is remotely exploitable in the HTTP protocol.
+
+When in doubt, please do send us a report.
+
+
 ## Current Project Team Members

 The Node.js project team comprises a group of core collaborators and a sub-group