doc: simplify security reporting text
Edit security-reporting text in the README to keep it concise and straightforward. The removed text may discourage reporting. Nothing like it appears in similar security-reporting text that I have reviewed. See, for example, the Linux kernel docs on security reporting: https://www.kernel.org/doc/html/v4.11/admin-guide/security-bugs.html PR-URL: https://github.com/nodejs/node/pull/23686 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
This commit is contained in:
Rich Trott
parent
72a48a2a0a
commit
d22ec11e4d
13
README.md
13
README.md
@ -166,15 +166,10 @@ team has addressed the vulnerability.
|
|||||||
The security team will acknowledge your email within 24 hours. You will receive
|
The security team will acknowledge your email within 24 hours. You will receive
|
||||||
a more detailed response within 48 hours.
|
a more detailed response within 48 hours.
|
||||||
|
|
||||||
There are no hard and fast rules to determine if a bug is worth reporting as
|
There are no hard and fast rules to determine if a bug is worth reporting as a
|
||||||
a security issue. The general rule is an issue worth reporting should allow an
|
security issue. Here are some examples of past issues and what the Security
|
||||||
attacker to compromise the confidentiality, integrity, or availability of the
|
Response Team thinks of them. When in doubt, please do send us a report
|
||||||
Node.js application or its system for which the attacker does not already have
|
nonetheless.
|
||||||
the capability.
|
|
||||||
|
|
||||||
To illustrate the point, here are some examples of past issues and what the
|
|
||||||
Security Response Team thinks of them. When in doubt, however, please do send
|
|
||||||
us a report nonetheless.
|
|
||||||
|
|
||||||
|
|
||||||
### Public disclosure preferred
|
### Public disclosure preferred
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user