1 | # Security Policy
|
2 |
|
3 | This document describes the management of vulnerabilities for the Fastify project and it's officials' plugins.
|
4 |
|
5 |
|
6 | ## Reporting vulnerabilities
|
7 |
|
8 | Individuals who find potential vulnerabilities in Fastify are invited to complete a vulnerability report via the dedicated HackerOne tool for Node.js modules: [https://hackerone.com/nodejs-ecosystem](https://hackerone.com/nodejs-ecosystem).
|
9 |
|
10 | ### How to report a vulnerabiliy
|
11 |
|
12 | It is of the utmost importance that you read carefully [**HOW TO REPORT A VULNERABILIY**](https://github.com/nodejs/security-wg/blob/master/processes/third_party_vuln_process.md) written by the Security Working Group of Node.js.
|
13 |
|
14 |
|
15 | ## Handling vulnerability reports
|
16 |
|
17 | When a potential vulnerability is reported and confirmed the Fastify Core Team will intervene in the
|
18 | `follow-up` stage of the process following the workflow and the timings described in the Security WG's document.
|
19 |
|
20 | ### Vulnerabilities found outside this process
|
21 |
|
22 | ⚠ The Fastify project does not support any reporting outside the HackerOne process.
|
23 |
|
24 |
|
25 | ## The Fastify Core team
|
26 |
|
27 | The core team is responsible for the management of [this](https://github.com/nodejs/security-wg/blob/master/processes/third_party_vuln_process.md#handling-vulnerability-reports) process.
|
28 |
|
29 | Members of this team are expected to keep all information that they have privileged access to by being
|
30 | on the team completely private to the team. This includes agreeing to not notify anyone outside the
|
31 | team of issues that have not yet been disclosed publicly, including the existence of issues,
|
32 | expectations of upcoming releases, and patching of any issues other than in the process of their work
|
33 | as a member of the Fastify Core team.
|