update to HackerOne reporting text

[mcollina]

I propose we amend this paragraph

All reports are evaluated based on the Node.js Threat Model. You can find more information about it at SECURITY.md.

Adding:

All reports that fail to be reproducible with standard Open Source tools will be closed as "not applicable", e.g. bash, python, node.js scripts are acceptable, burp suite is not.

[RafaelGSS]

SGTM

[mhdawson]

I wonder if the following would be better:

All reports should be be reproducible with standard Open Source tools (, e.g. bash, python, node.js scripts are acceptable, burp suite is not.) or include references to the specific source code relevant to the issue. Reports that can only be reproduced with non-open source tools and cannot otherwise be confirmed will be closed as "not applicable".

[RafaelGSS]

I think we should mention including additional context using tools like burp suite is acceptable, but reproducible examples must use easy-to-use tools. Preferable, Node.js and Bash.

[mhdawson]

@RafaelGSS that was along the lines of what I was trying to get at, so agree on that front.

[mcollina]

@RafaelGSS @mhdawson can you propose some amended text?

[mhdawson]

How about:

All reports should be be reproducible with standard Open Source tools (, e.g. bash, python, node.js scripts) or include references to the specific source code relevant to the issue. In order to supplement the report and provide additional context is is acceptable to use other tools. Reports that can only be reproduced with non-open source tools and cannot otherwise be confirmed will be closed as "not applicable".