1berry/nodejs
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

doc: mention reports should align with Node.js CoC

Browse Source 
Refs: https://github.com/nodejs/moderation/issues/830
PR-URL: https://github.com/nodejs/node/pull/57607
Reviewed-By: Jordan Harband <ljharb@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Stefan Stojanovic <stefan.stojanovic@janeasystems.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
This commit is contained in:
Rafael Gonzaga 2025-03-26 12:00:58 -03:00 committed by Marco Ippolito
parent 7b2c0bc92e
commit e80669be0d
No known key found for this signature in database
GPG Key ID: 27F5E38D5B0A215F
1 changed files with 33 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
SECURITY.md
View File

@ -55,6 +55,39 @@ Here is the security disclosure policy for Node.js
possible; however, we must follow the release process above to ensure that we
handle disclosure consistently.
## Code of Conduct and Vulnerability Reporting Guidelines
When reporting security vulnerabilities, reporters must adhere to the following guidelines:
1. **Code of Conduct Compliance**: All security reports must comply with our
[Code of Conduct](CODE_OF_CONDUCT.md). Reports that violate our code of conduct
will not be considered and may result in being banned from future participation.
2. **No Harmful Actions**: Security research and vulnerability reporting must not:
* Cause damage to running systems or production environments.
* Disrupt Node.js development or infrastructure.
* Affect other users' applications or systems.
* Include actual exploits that could harm users.
* Involve social engineering or phishing attempts.
3. **Responsible Testing**: When testing potential vulnerabilities:
* Use isolated, controlled environments.
* Do not test on production systems.
* Do not attempt to access or modify other users' data.
* Immediately stop testing if unauthorized access is gained accidentally.
4. **Report Quality**
* Provide clear, detailed steps to reproduce the vulnerability.
* Include only the minimum proof of concept required to demonstrate the issue.
* Remove any malicious payloads or components that could cause harm.
Failure to follow these guidelines may result in:
* Rejection of the vulnerability report.
* Forfeiture of any potential bug bounty.
* Temporary or permanent ban from the bug bounty program.
* Legal action in cases of malicious intent.
## The Node.js threat model
In the Node.js threat model, there are trusted elements such as the