From e80669be0d60658501e866e9bc322ec627aa31a7 Mon Sep 17 00:00:00 2001
From: Rafael Gonzaga <rafael.nunu@hotmail.com>
Date: Wed, 26 Mar 2025 12:00:58 -0300
Subject: [PATCH] doc: mention reports should align with Node.js CoC
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Refs: https://github.com/nodejs/moderation/issues/830
PR-URL: https://github.com/nodejs/node/pull/57607
Reviewed-By: Jordan Harband <ljharb@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Stefan Stojanovic <stefan.stojanovic@janeasystems.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
---
 SECURITY.md | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/SECURITY.md b/SECURITY.md
index b8f54307d5e..3193db0d4dd 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -55,6 +55,39 @@ Here is the security disclosure policy for Node.js
   possible; however, we must follow the release process above to ensure that we
   handle disclosure consistently.
 
+## Code of Conduct and Vulnerability Reporting Guidelines
+
+When reporting security vulnerabilities, reporters must adhere to the following guidelines:
+
+1. **Code of Conduct Compliance**: All security reports must comply with our
+   [Code of Conduct](CODE_OF_CONDUCT.md). Reports that violate our code of conduct
+   will not be considered and may result in being banned from future participation.
+
+2. **No Harmful Actions**: Security research and vulnerability reporting must not:
+   * Cause damage to running systems or production environments.
+   * Disrupt Node.js development or infrastructure.
+   * Affect other users' applications or systems.
+   * Include actual exploits that could harm users.
+   * Involve social engineering or phishing attempts.
+
+3. **Responsible Testing**: When testing potential vulnerabilities:
+   * Use isolated, controlled environments.
+   * Do not test on production systems.
+   * Do not attempt to access or modify other users' data.
+   * Immediately stop testing if unauthorized access is gained accidentally.
+
+4. **Report Quality**
+   * Provide clear, detailed steps to reproduce the vulnerability.
+   * Include only the minimum proof of concept required to demonstrate the issue.
+   * Remove any malicious payloads or components that could cause harm.
+
+Failure to follow these guidelines may result in:
+
+* Rejection of the vulnerability report.
+* Forfeiture of any potential bug bounty.
+* Temporary or permanent ban from the bug bounty program.
+* Legal action in cases of malicious intent.
+
 ## The Node.js threat model
 
 In the Node.js threat model, there are trusted elements such as the