No technology is perfect, and Node.js believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in a third-party Node.js module, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
Vulnerabilities in Node.js core should be reported to email@example.com.
* Vulnerability is identified or Disclosed to Node.js Security Team - We will endeavor to keep reporter / finder in the loop with all communications / events.
* Maintainers are notified if it's not a self disclosure.
* After a fix is made available, the public advisory is finalized and a CVE assigned.
* If no fix is available after 45 days, the advisory will timeout and will be made publicly available.
Thank you for helping keep the Node.js ecosystem safe!
Hall of Fame