Table of Contents

• Vulnerability Management
  • Responsible Disclosure Policy
  • Third-Party Ecosystem Triage Process
  • Third-Party HackerOne Submission form
  • Vulnerability Database
  • Recognition for Security Researchers
• Processes for Security WG Members
  • Security Team Membership Policy
  • On-boarding Team Members
  • Off-boarding Team Members
• Node.js Bug Bounty Program
• Participate in Responsible Security Disclosure
• Charter
• Code of Conduct
• Moderation Policy
• Current Project Team Members
• Emeritus Members

The Ecosystem Security Working Group works to improve the security of the Node.js Ecosystem.

Responsibilities include:

• Work with the Node Security Platform to bring community vulnerability data into the foundation as a shared asset.
• Ensure the vulnerability data is updated in an efficient and timely manner. For example, ensuring there are well-documented processes for reporting vulnerabilities in community modules.
• Define and maintain policies and procedures for the coordination of security concerns within the external Node.js open source ecosystem.
• Offer help to npm package maintainers to fix high-impact security bugs.
• Maintain and make available data on disclosed security vulnerabilities in:
  • the core Node.js project
  • other projects maintained by the Node.js Foundation technical group
  • the external Node.js open source ecosystem
• Promote the improvement of security practices within the Node.js ecosystem.
• Facilitate and promote the expansion of a healthy security service and product provider ecosystem.

This Working Group is not responsible for managing or responding to security reports against Node.js itself. That responsibility remains with the Node.js TSC.

The Node.js project engages in an official bug bounty program for security researchers and responsible public disclosures. We have established a first draft of accepted criteria and npm modules and projects that are eligible for monetary reward at Bug Bounty Criteria.

The program is managed through the HackerOne platform at https://hackerone.com/nodejs with further details.

As a module author you can provide your users with security guidelines regarding any exposures and vulnerabilities in your project, based on a responsible dislcosure policy document we've already put in place.

You can show your users you take security matters seriously and drive higher confidence by following any of the below suggested actions:

1. Adding a SECURITY.md file in your repository that you can copy&paste from us. Just like having a contribution of code of conduct guidelines, a security guideline will help user or bug hunters with the process of reporting a vulnerability or security concern they would like to share.

2. Adding our Responsible Security Dislosure badge to your project's README which links to the SECURITY.md document.

• aeleuterio André Eleuterio
• bengl - Bryan English
• brycebaril - Bryce Baril
• ChALkeR - Сковорода Никита Андреевич
• cjihrig - Colin Ihrig
• dgonzalez - David Gonzalez
• deian - Deian Stefan
• drifkin - Devon Rifkin
• elexy - Alex Knol
• grnd - Danny Grander
• karenyavine Karen Yavine Shemesh
• lirantal - Liran Tal
• MarcinHoppe - Marcin Hoppe
• mdawson - Michael Dawson
• mgalexander - Michael Alexander
• pxlpnk - Andreas Tiefenthaler
• ronperris - Ron Perris
• sam-github - Sam Roberts
• SomeoneWeird - Adam Brady
• vdeturckheim - Vladimir de Turckheim

• digitalinfinity - Hitesh Kanwathirtha
• dougwilson - Doug Wilson
• evilpacket - Adam Baldwin
• gergelyke - Gergely Nemeth
• gibfahn - Gibson Fahnestock
• jasnell - James M Snell
• jbergstroem - Johan Bergström
• joshgav - Josh Gavant
• mcollina - Matteo Collina
• ofrobots - Ali Ijaz Sheikh
• roccomuso - Rocco Musolino
• shigeki - Shigeki Ohtsu

Note that membership in the Ecosystem Security WG does not automatically give access to undisclosed vulnerabilities on HackerOne

• Ecosystem Vulnerabilities: Managed by the Ecosystem Triage Team.

The Node.js Code of Conduct applies to this WG.

The Node.js Moderation Policy applies to this WG.