From e856fa2155a8e2719fc38c40c7812315b3ad54da Mon Sep 17 00:00:00 2001 From: Rich Trott Date: Mon, 15 Oct 2018 22:25:28 -0700 Subject: [PATCH] doc: simplify security reporting text Edit security-reporting text in the README to keep it concise and straightforward. The removed text may discourage reporting. Nothing like it appears in similar security-reporting text that I have reviewed. See, for example, the Linux kernel docs on security reporting: https://www.kernel.org/doc/html/v4.11/admin-guide/security-bugs.html PR-URL: https://github.com/nodejs/node/pull/23686 Reviewed-By: Luigi Pinca Reviewed-By: Ruben Bridgewater --- README.md | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index ae2f28b2daf551..00cbd58d532325 100644 --- a/README.md +++ b/README.md @@ -166,15 +166,10 @@ team has addressed the vulnerability. The security team will acknowledge your email within 24 hours. You will receive a more detailed response within 48 hours. -There are no hard and fast rules to determine if a bug is worth reporting as -a security issue. The general rule is an issue worth reporting should allow an -attacker to compromise the confidentiality, integrity, or availability of the -Node.js application or its system for which the attacker does not already have -the capability. - -To illustrate the point, here are some examples of past issues and what the -Security Response Team thinks of them. When in doubt, however, please do send -us a report nonetheless. +There are no hard and fast rules to determine if a bug is worth reporting as a +security issue. Here are some examples of past issues and what the Security +Response Team thinks of them. When in doubt, please do send us a report +nonetheless. ### Public disclosure preferred