doc: explicit mention arbitrary code execution as a vuln

RafaelGSS · aduh95 · commit 8cb3441443f4 · 2025-03-18T11:16:11.000+01:00
This request came from Github Open Source Secure and it's always welcome to clarify the policy PR-URL: #57426 Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Chengzhong Wu <legendecas@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
diff --git a/SECURITY.md b/SECURITY.md
@@ -106,6 +106,9 @@ a security vulnerability. Examples of unwanted actions are polluting globals,
 causing an unrecoverable crash, or any other unexpected side effects that can
 lead to a loss of confidentiality, integrity, or availability.
 
+For example, if trusted input (like secure application code) is correct,
+then untrusted input must not lead to arbitrary JavaScript code execution.
+
 **Node.js trusts everything else**. Examples include:
 
 * The developers and infrastructure that runs it.
