No technology is perfect, and ESLint believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in ESLint or its infrastructure, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Since ESLint is run by volunteers, we cannot pay bounties.

Disclosure Policy

• Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
• Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our infrastructure.

Exclusions

While researching, please refrain from:

• Attempting to compromise the npm or GitHub accounts of anyone on the ESLint team
• Publishing anything to the npm registry or to GitHub using ESLint's credentials, if you find a way to access them
• Social engineering, including submitting backdoors in pull requests
• Denial-of-service attacks

Thank you for helping keep ESLint and our users safe!