From 7267b0c5fd8137fec5687939f2669117fcbdb6d0 Mon Sep 17 00:00:00 2001 From: Matteo Collina Date: Thu, 18 Dec 2025 11:08:55 +0100 Subject: [PATCH] doc: exclude compile-time flag features from security policy Add a new section to the security model clarifying that experimental features behind compile-time flags are not covered by the vulnerability reporting policy. These features are intended for development only and are not enabled in official releases. --- SECURITY.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index 087ea563c9dfd4..a641148bcea04d 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -125,6 +125,26 @@ This policy recognizes that experimental platforms may not compile, may not pass the test suite, and do not have the same level of testing and support infrastructure as Tier 1 and Tier 2 platforms. +### Experimental features behind compile-time flags + +Node.js includes certain experimental features that are only available when +Node.js is compiled with specific flags. These features are intended for +development, debugging, or testing purposes and are not enabled in official +releases. + +* Security vulnerabilities that only affect features behind compile-time flags + will **not** be accepted as valid security issues. +* Any issues with these features will be treated as normal bugs. +* No CVEs will be issued for issues that only affect compile-time flag features. +* Bug bounty rewards are not available for compile-time flag feature issues. + +This policy recognizes that experimental features behind compile-time flags +are not ready for public consumption and may have incomplete implementations, +missing security hardening, or other limitations that make them unsuitable +for production use. + +### What constitutes a vulnerability + Being able to cause the following through control of the elements that Node.js does not trust is considered a vulnerability: