@@ -11,9 +11,11 @@ For more details on active Security Policies, checkout [this page](https://githu
1111
1212Report security bugs in Node.js via [ HackerOne] ( https://hackerone.com/nodejs ) .
1313
14- Your report will be acknowledged within 5 days, and you'll receive a more
15- detailed response to your report within 10 days indicating the next steps in
16- handling your submission.
14+ Normally, your report will be acknowledged within 5 days, and you'll receive
15+ a more detailed response to your report within 10 days indicating the
16+ next steps in handling your submission. These timelines may extend when
17+ our triage volunteers are away on holiday, particularly at the end of the
18+ year.
1719
1820After the initial reply to your report, the security team will endeavor to keep
1921you informed of the progress being made towards a fix and full announcement,
@@ -36,29 +38,29 @@ maintainers.
3638Here is the security disclosure policy for Node.js
3739
3840- The security report is received and is assigned a primary handler. This
39- person will coordinate the fix and release process. The problem is confirmed
40- and a list of all affected versions is determined. Code is audited to find
41- any potential similar problems. Fixes are prepared for all releases which are
42- still under maintenance. These fixes are not committed to the public
43- repository but rather held locally pending the announcement.
41+ person will coordinate the fix and release process. The problem is validated
42+ against all supported Node.js versions. Once confirmed, a list of all affected
43+ versions is determined. Code is audited to find any potential similar
44+ problems. Fixes are prepared for all supported releases.
45+ These fixes are not committed to the public repository but rather held locally
46+ pending the announcement.
4447
4548- A suggested embargo date for this vulnerability is chosen and a CVE (Common
4649 Vulnerabilities and Exposures (CVE®)) is requested for the vulnerability.
4750
48- - On the embargo date, the Node.js security mailing list is sent a copy of the
49- announcement . The changes are pushed to the public repository and new builds
50- are deployed to nodejs.org. Within 6 hours of the mailing list being
51+ - On the embargo date, a copy of the announcement is sent to the Node.js
52+ security mailing list . The changes are pushed to the public repository and new
53+ builds are deployed to nodejs.org. Within 6 hours of the mailing list being
5154 notified, a copy of the advisory will be published on the Node.js blog.
5255
53- - Typically the embargo date will be set 72 hours from the time the CVE is
56+ - Typically, the embargo date will be set 72 hours from the time the CVE is
5457 issued. However, this may vary depending on the severity of the bug or
5558 difficulty in applying a fix.
5659
57- - This process can take some time, especially when coordination is required
58- with maintainers of other projects. Every effort will be made to handle the
59- bug in as timely a manner as possible; however, it's important that we follow
60- the release process above to ensure that the disclosure is handled in a
61- consistent manner.
60+ - This process can take some time, especially when we need to coordinate with
61+ maintainers of other projects. We will try to handle the bug as quickly as
62+ possible; however, we must follow the release process above to ensure that we
63+ handle disclosure consistently.
6264
6365## Receiving security updates
6466
@@ -69,9 +71,9 @@ Security notifications will be distributed via the following methods.
6971
7072## Comments on this policy
7173
72- If you have suggestions on how this process could be improved please submit a
73- [ pull request ] ( https://github.com/nodejs/nodejs.org ) or
74- [ file an issue ] ( https://github.com/nodejs/security-wg/issues/new ) to discuss .
74+ If you have suggestions on how this process could be improved, please visit
75+ the [ nodejs/security-wg ] ( https://github.com/nodejs/security-wg )
76+ repository .
7577
7678## OpenSSF Best Practices
7779
0 commit comments