Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

doc: add SECURITY.md to readme.md #24031

Closed
wants to merge 2 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 2 additions & 37 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -159,43 +159,8 @@ source and a list of supported platforms.

## Security

If you find a security vulnerability in Node.js, please report it to
security@nodejs.org. Please withhold public disclosure until after the security
team has addressed the vulnerability.

The security team will acknowledge your email within 24 hours. You will receive
a more detailed response within 48 hours.

There are no hard and fast rules to determine if a bug is worth reporting as a
security issue. Here are some examples of past issues and what the Security
Response Team thinks of them. When in doubt, please do send us a report
nonetheless.


### Public disclosure preferred

- [#14519](https://github.com/nodejs/node/issues/14519): _Internal domain
function can be used to cause segfaults_. Requires the ability to execute
arbitrary JavaScript code. That is already the highest level of privilege
possible.

### Private disclosure preferred

- [CVE-2016-7099](https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/):
_Fix invalid wildcard certificate validation check_. This was a high-severity
defect. It caused Node.js TLS clients to accept invalid wildcard certificates.

- [#5507](https://github.com/nodejs/node/pull/5507): _Fix a defect that makes
the CacheBleed Attack possible_. Many, though not all, OpenSSL vulnerabilities
in the TLS/SSL protocols also affect Node.js.

- [CVE-2016-2216](https://nodejs.org/en/blog/vulnerability/february-2016-security-releases/):
_Fix defects in HTTP header parsing for requests and responses that can allow
response splitting_. This was a remotely-exploitable defect in the Node.js
HTTP implementation.

When in doubt, please do send us a report.

For information on reporting security vulnerabilities in Node.js, see
[SECURITY.md](./SECURITY.md).

## Current Project Team Members

Expand Down
37 changes: 37 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
# Security
Trott marked this conversation as resolved.
Show resolved Hide resolved

If you find a security vulnerability in Node.js, please report it to
security@nodejs.org. Please withhold public disclosure until after the security
team has addressed the vulnerability.

The security team will acknowledge your email within 24 hours. You will receive
a more detailed response within 48 hours.

There are no hard and fast rules to determine if a bug is worth reporting as a
security issue. Here are some examples of past issues and what the Security
Response Team thinks of them. When in doubt, please do send us a report
nonetheless.

## Public disclosure preferred

- [#14519](https://github.com/nodejs/node/issues/14519): _Internal domain
function can be used to cause segfaults_. Requires the ability to execute
arbitrary JavaScript code. That is already the highest level of privilege
possible.

## Private disclosure preferred

- [CVE-2016-7099](https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/):
_Fix invalid wildcard certificate validation check_. This was a high-severity
defect. It caused Node.js TLS clients to accept invalid wildcard certificates.

- [#5507](https://github.com/nodejs/node/pull/5507): _Fix a defect that makes
the CacheBleed Attack possible_. Many, though not all, OpenSSL vulnerabilities
in the TLS/SSL protocols also affect Node.js.

- [CVE-2016-2216](https://nodejs.org/en/blog/vulnerability/february-2016-security-releases/):
_Fix defects in HTTP header parsing for requests and responses that can allow
response splitting_. This was a remotely-exploitable defect in the Node.js
HTTP implementation.

When in doubt, please do send us a report.