Skip to content

Commit

Permalink
doc: improve security section of README.md
Browse files Browse the repository at this point in the history 
* Remove fluff text and get to the point: Report security flaws to
  security@nodejs.org. Please do not disclose security flaws publicly
  until they have been handled by the security team.
* Fix somewhat confusing paragraph that says there are no "hard
  and fast rules" but then uses _must_ in the context of a "general
  rule". Easiest solution seems to be to change _must_ to _should_.
* Minor style change (_you will_ instead of _you'll_)

PR-URL: #17929
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com>
Reviewed-By: Jon Moss <me@jonathanmoss.me>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
  • Loading branch information
@Trott @MylesBorins
Trott authored and MylesBorins committed Jan 24, 2018
1 parent 532e85a commit 135bc61
Showing 1 changed file with 8 additions and 9 deletions.
17 changes: 8 additions & 9 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -169,20 +169,19 @@ officially supported platforms.

## Security

All security bugs in Node.js are taken seriously and should be reported by
emailing security@nodejs.org. This will be delivered to a subset of the project
team who handle security issues. Please don't disclose security bugs
publicly until they have been handled by the security team.
Security flaws in Node.js should be reported by emailing security@nodejs.org.
Please do not disclose security bugs publicly until they have been handled by
the security team.

Your email will be acknowledged within 24 hours, and you’ll receive a more
Your email will be acknowledged within 24 hours, and you will receive a more
detailed response to your email within 48 hours indicating the next steps in
handling your report.

There are no hard and fast rules to determine if a bug is worth reporting as
a security issue. The general rule is any issue worth reporting
must allow an attacker to compromise the confidentiality, integrity
or availability of the Node.js application or its system for which the attacker
does not already have the capability.
a security issue. The general rule is an issue worth reporting should allow an
attacker to compromise the confidentiality, integrity, or availability of the
Node.js application or its system for which the attacker does not already have
the capability.

To illustrate the point, here are some examples of past issues and what the
Security Response Team thinks of them. When in doubt, however, please do send
Expand Down

0 comments on commit 135bc61

Please sign in to comment.