No technology is perfect, and ESLint believes that working with skilled
security researchers across the globe is crucial in identifying weaknesses in
any technology. If you believe you've found a security issue in ESLint or its
infrastructure, we encourage you to notify us. We welcome working with you to
resolve the issue promptly.
Since ESLint is run by volunteers, we cannot pay bounties.
- Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our infrastructure.
While researching, please refrain from:
- Attempting to compromise the npm or GitHub accounts of anyone on the ESLint team
- Publishing anything to the npm registry or to GitHub using ESLint's credentials, if you find a way to access them
- Social engineering, including submitting backdoors in pull requests
- Denial-of-service attacks
Thank you for helping keep ESLint and our users safe!
Hall of Fame