This adds a SECURITY.md file and links to the security document per the request of @https://github.com/Trott at a recent SF Node meetup. PR-URL: https://github.com/nodejs/node/pull/24031 Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com> Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
1.6 KiB
Security
If you find a security vulnerability in Node.js, please report it to security@nodejs.org. Please withhold public disclosure until after the security team has addressed the vulnerability.
The security team will acknowledge your email within 24 hours. You will receive a more detailed response within 48 hours.
There are no hard and fast rules to determine if a bug is worth reporting as a security issue. Here are some examples of past issues and what the Security Response Team thinks of them. When in doubt, please do send us a report nonetheless.
Public disclosure preferred
- #14519: Internal domain function can be used to cause segfaults. Requires the ability to execute arbitrary JavaScript code. That is already the highest level of privilege possible.
Private disclosure preferred
-
CVE-2016-7099: Fix invalid wildcard certificate validation check. This was a high-severity defect. It caused Node.js TLS clients to accept invalid wildcard certificates.
-
#5507: Fix a defect that makes the CacheBleed Attack possible. Many, though not all, OpenSSL vulnerabilities in the TLS/SSL protocols also affect Node.js.
-
CVE-2016-2216: Fix defects in HTTP header parsing for requests and responses that can allow response splitting. This was a remotely-exploitable defect in the Node.js HTTP implementation.
When in doubt, please do send us a report.