| 1 | # Security Policy
|
| 2 |
|
| 3 | ## Responsible disclosure security policy
|
| 4 |
|
| 5 | A responsible disclosure policy helps protect users of the project from publicly disclosed security vulnerabilities without a fix by employing a process where vulnerabilities are first triaged in a private manner, and only publicly disclosed after a reasonable time period that allows patching the vulnerability and provides an upgrade path for users.
|
| 6 |
|
| 7 | When contacting us directly via email, we will do our best efforts to respond in a reasonable time to resolve the issue. When contacting a security program their disclosure policy will provide details on time-frame, processes and paid bounties.
|
| 8 |
|
| 9 | We kindly ask you to refrain from malicious acts that put our users, the project, or any of the project’s team members at risk.
|
| 10 |
|
| 11 | ## Reporting a security issue
|
| 12 |
|
| 13 | We consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present.
|
| 14 |
|
| 15 | If you discover a security vulnerability, please use one of the following means of communications to report it to us:
|
| 16 |
|
| 17 | - Report the security issue to the Node.js Security WG through the [HackerOne program](https://hackerone.com/nodejs-ecosystem) for ecosystem modules on npm, or to [Snyk Security Team](https://snyk.io/vulnerability-disclosure). They will help triage the security issue and work with all involved parties to remediate and release a fix.
|
| 18 |
|
| 19 | Note that time-frame and processes are subject to each program’s own policy.
|
| 20 |
|
| 21 | - Report the security issue to the project maintainers directly.
|
| 22 |
|
| 23 | Your efforts to responsibly disclose your findings are sincerely appreciated and will be taken into account to acknowledge your contributions.
|