Report security bugs in the N|Solid Runtime via security@nodesource.com
Normally your report will be acknowledged within 5 days, and you'll receive a more detailed response to your report within 10 days indicating the next steps in handling your submission. These timelines may extend when our triage volunteers are away on holiday, particularly at the end of the year.
After the initial reply to your report, the security team will endeavor to keep you informed of the progress being made towards a fix and full announcement, and may ask for additional information or guidance surrounding the reported issue.
Security bugs in third party modules should be reported to their respective maintainers.
Here is the security disclosure policy for N|Solid
-
The security report is received and is assigned a primary handler. This person will coordinate the fix and release process. The problem is validated against all supported versions. Once confirmed, a list of all affected versions is determined. Code is audited to find any potential similar problems. Fixes are prepared for all supported releases. These fixes are not committed to the public repository but rather held locally pending the announcement.
-
If deemed necessary, an embargo date may be set and a delayed announcement may be coordinated to time the announcement with the release. Some NodeSource customers may be invited to be a part of the embargo and review team.
Security notifications will be distributed via https://nodesource.com/blog/