@@ -55,6 +55,39 @@ Here is the security disclosure policy for Node.js
5555 possible; however, we must follow the release process above to ensure that we
5656 handle disclosure consistently.
5757
58+ ## Code of Conduct and Vulnerability Reporting Guidelines
59+
60+ When reporting security vulnerabilities, reporters must adhere to the following guidelines:
61+
62+ 1 . ** Code of Conduct Compliance** : All security reports must comply with our
63+ [ Code of Conduct] ( CODE_OF_CONDUCT.md ) . Reports that violate our code of conduct
64+ will not be considered and may result in being banned from future participation.
65+
66+ 2 . ** No Harmful Actions** : Security research and vulnerability reporting must not:
67+ * Cause damage to running systems or production environments.
68+ * Disrupt Node.js development or infrastructure.
69+ * Affect other users' applications or systems.
70+ * Include actual exploits that could harm users.
71+ * Involve social engineering or phishing attempts.
72+
73+ 3 . ** Responsible Testing** : When testing potential vulnerabilities:
74+ * Use isolated, controlled environments.
75+ * Do not test on production systems.
76+ * Do not attempt to access or modify other users' data.
77+ * Immediately stop testing if unauthorized access is gained accidentally.
78+
79+ 4 . ** Report Quality**
80+ * Provide clear, detailed steps to reproduce the vulnerability.
81+ * Include only the minimum proof of concept required to demonstrate the issue.
82+ * Remove any malicious payloads or components that could cause harm.
83+
84+ Failure to follow these guidelines may result in:
85+
86+ * Rejection of the vulnerability report.
87+ * Forfeiture of any potential bug bounty.
88+ * Temporary or permanent ban from the bug bounty program.
89+ * Legal action in cases of malicious intent.
90+
5891## The Node.js threat model
5992
6093In the Node.js threat model, there are trusted elements such as the
0 commit comments