Skip to content

Commit

Permalink
doc: improve security section of README.md
Browse files Browse the repository at this point in the history
* Remove fluff text and get to the point: Report security flaws to
  [email protected]. Please do not disclose security flaws publicly
  until they have been handled by the security team.
* Fix somewhat confusing paragraph that says there are no "hard
  and fast rules" but then uses _must_ in the context of a "general
  rule". Easiest solution seems to be to change _must_ to _should_.
* Minor style change (_you will_ instead of _you'll_)

PR-URL: #17929
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Tiancheng "Timothy" Gu <[email protected]>
Reviewed-By: Jon Moss <[email protected]>
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Gibson Fahnestock <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
  • Loading branch information
Trott authored and MylesBorins committed Jan 24, 2018
1 parent 8319599 commit a79d825
Showing 1 changed file with 8 additions and 9 deletions.
17 changes: 8 additions & 9 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -172,20 +172,19 @@ Node.js from source along with a list of officially supported platforms.

## Security

All security bugs in Node.js are taken seriously and should be reported by
emailing [email protected]. This will be delivered to a subset of the project
team who handle security issues. Please don't disclose security bugs
publicly until they have been handled by the security team.
Security flaws in Node.js should be reported by emailing [email protected].
Please do not disclose security bugs publicly until they have been handled by
the security team.

Your email will be acknowledged within 24 hours, and you’ll receive a more
Your email will be acknowledged within 24 hours, and you will receive a more
detailed response to your email within 48 hours indicating the next steps in
handling your report.

There are no hard and fast rules to determine if a bug is worth reporting as
a security issue. The general rule is any issue worth reporting
must allow an attacker to compromise the confidentiality, integrity
or availability of the Node.js application or its system for which the attacker
does not already have the capability.
a security issue. The general rule is an issue worth reporting should allow an
attacker to compromise the confidentiality, integrity, or availability of the
Node.js application or its system for which the attacker does not already have
the capability.

To illustrate the point, here are some examples of past issues and what the
Security Response Team thinks of them. When in doubt, however, please do send
Expand Down

0 comments on commit a79d825

Please sign in to comment.