| 1 | # Security Policy
|
| 2 |
|
| 3 | This document describes the management of vulnerabilities for the Fastify project and it's officials' plugins.
|
| 4 |
|
| 5 |
|
| 6 | ## Reporting vulnerabilities
|
| 7 |
|
| 8 | Individuals who find potential vulnerabilities in Fastify are invited to complete a vulnerability report via the dedicated HackerOne tool for Node.js modules: [https://hackerone.com/nodejs-ecosystem](https://hackerone.com/nodejs-ecosystem).
|
| 9 |
|
| 10 | ### How to report a vulnerabiliy
|
| 11 |
|
| 12 | It is of the utmost importance that you read carefully [**HOW TO REPORT A VULNERABILIY**](https://github.com/nodejs/security-wg/blob/master/processes/third_party_vuln_process.md) written by the Security Working Group of Node.js.
|
| 13 |
|
| 14 |
|
| 15 | ## Handling vulnerability reports
|
| 16 |
|
| 17 | When a potential vulnerability is reported and confirmed the Fastify Core Team will intervene in the
|
| 18 | `follow-up` stage of the process following the workflow and the timings described in the Security WG's document.
|
| 19 |
|
| 20 | ### Vulnerabilities found outside this process
|
| 21 |
|
| 22 | ⚠ The Fastify project does not support any reporting outside the HackerOne process.
|
| 23 |
|
| 24 |
|
| 25 | ## The Fastify Core team
|
| 26 |
|
| 27 | The core team is responsible for the management of [this](https://github.com/nodejs/security-wg/blob/master/processes/third_party_vuln_process.md#handling-vulnerability-reports) process.
|
| 28 |
|
| 29 | Members of this team are expected to keep all information that they have privileged access to by being
|
| 30 | on the team completely private to the team. This includes agreeing to not notify anyone outside the
|
| 31 | team of issues that have not yet been disclosed publicly, including the existence of issues,
|
| 32 | expectations of upcoming releases, and patching of any issues other than in the process of their work
|
| 33 | as a member of the Fastify Core team.
|