From c02559e58cffeb9c9ac2d9c98a82fdc9faaa9f70 Mon Sep 17 00:00:00 2001
From: Rich Trott <rtrott@gmail.com>
Date: Sun, 31 Dec 2017 20:54:56 -0800
Subject: [PATCH] doc: improve security section of README.md

* Remove fluff text and get to the point: Report security flaws to
  security@nodejs.org. Please do not disclose security flaws publicly
  until they have been handled by the security team.
* Fix somewhat confusing paragraph that says there are no "hard
  and fast rules" but then uses _must_ in the context of a "general
  rule". Easiest solution seems to be to change _must_ to _should_.
* Minor style change (_you will_ instead of _you'll_)

PR-URL: https://github.com/nodejs/node/pull/17929
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com>
Reviewed-By: Jon Moss <me@jonathanmoss.me>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
---
 README.md | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/README.md b/README.md
index 33b405d832365a..c96af8ed9696ae 100644
--- a/README.md
+++ b/README.md
@@ -169,20 +169,19 @@ officially supported platforms.
 
 ## Security
 
-All security bugs in Node.js are taken seriously and should be reported by
-emailing security@nodejs.org. This will be delivered to a subset of the project
-team who handle security issues. Please don't disclose security bugs
-publicly until they have been handled by the security team.
+Security flaws in Node.js should be reported by emailing security@nodejs.org.
+Please do not disclose security bugs publicly until they have been handled by
+the security team.
 
-Your email will be acknowledged within 24 hours, and you’ll receive a more
+Your email will be acknowledged within 24 hours, and you will receive a more
 detailed response to your email within 48 hours indicating the next steps in
 handling your report.
 
 There are no hard and fast rules to determine if a bug is worth reporting as
-a security issue. The general rule is any issue worth reporting
-must allow an attacker to compromise the confidentiality, integrity
-or availability of the Node.js application or its system for which the attacker
-does not already have the capability.
+a security issue. The general rule is an issue worth reporting should allow an
+attacker to compromise the confidentiality, integrity, or availability of the
+Node.js application or its system for which the attacker does not already have
+the capability.
 
 To illustrate the point, here are some examples of past issues and what the
 Security Response Team thinks of them. When in doubt, however, please do send