nodejs/SECURITY.md

# Security

If you find a security vulnerability in Node.js, please report it to
security@nodejs.org. Please withhold public disclosure until after the security
team has addressed the vulnerability.

The security team will acknowledge your email within 24 hours. You will receive
a more detailed response within 48 hours.

There are no hard and fast rules to determine if a bug is worth reporting as a
security issue. Here are some examples of past issues and what the Security
Response Team thinks of them. When in doubt, please do send us a report
nonetheless.

## Public disclosure preferred

* [#14519](https://github.com/nodejs/node/issues/14519): _Internal domain
  function can be used to cause segfaults_. Requires the ability to execute
  arbitrary JavaScript code. That is already the highest level of privilege
  possible.

## Private disclosure preferred

* [CVE-2016-7099](https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/):
  _Fix invalid wildcard certificate validation check_. This was a high-severity
  defect. It caused Node.js TLS clients to accept invalid wildcard certificates.

* [#5507](https://github.com/nodejs/node/pull/5507): _Fix a defect that makes
  the CacheBleed Attack possible_. Many, though not all, OpenSSL vulnerabilities
  in the TLS/SSL protocols also affect Node.js.

* [CVE-2016-2216](https://nodejs.org/en/blog/vulnerability/february-2016-security-releases/):
  _Fix defects in HTTP header parsing for requests and responses that can allow
  response splitting_. This was a remotely-exploitable defect in the Node.js
  HTTP implementation.

When in doubt, please do send us a report.
doc: add SECURITY.md to readme.md This adds a SECURITY.md file and links to the security document per the request of @https://github.com/Trott at a recent SF Node meetup. PR-URL: https://github.com/nodejs/node/pull/24031 Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com> Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> 2018-11-02 05:24:54 +01:00			`# Security`

			`If you find a security vulnerability in Node.js, please report it to`
			`security@nodejs.org. Please withhold public disclosure until after the security`
			`team has addressed the vulnerability.`

			`The security team will acknowledge your email within 24 hours. You will receive`
			`a more detailed response within 48 hours.`

			`There are no hard and fast rules to determine if a bug is worth reporting as a`
			`security issue. Here are some examples of past issues and what the Security`
			`Response Team thinks of them. When in doubt, please do send us a report`
			`nonetheless.`

			`## Public disclosure preferred`

doc: use consistent unordered list style Convert to asterisks when there are mixed styles in document. Addresses Markdownlint MD004 rule PR-URL: https://github.com/nodejs/node/pull/29516 Reviewed-By: David Carlier <devnexen@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> 2019-09-13 06:22:29 +02:00			`* [#14519](https://github.com/nodejs/node/issues/14519): _Internal domain`
doc: add SECURITY.md to readme.md This adds a SECURITY.md file and links to the security document per the request of @https://github.com/Trott at a recent SF Node meetup. PR-URL: https://github.com/nodejs/node/pull/24031 Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com> Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> 2018-11-02 05:24:54 +01:00			`function can be used to cause segfaults_. Requires the ability to execute`
			`arbitrary JavaScript code. That is already the highest level of privilege`
			`possible.`

			`## Private disclosure preferred`

doc: use consistent unordered list style Convert to asterisks when there are mixed styles in document. Addresses Markdownlint MD004 rule PR-URL: https://github.com/nodejs/node/pull/29516 Reviewed-By: David Carlier <devnexen@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> 2019-09-13 06:22:29 +02:00			`* [CVE-2016-7099](https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/):`
doc: add SECURITY.md to readme.md This adds a SECURITY.md file and links to the security document per the request of @https://github.com/Trott at a recent SF Node meetup. PR-URL: https://github.com/nodejs/node/pull/24031 Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com> Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> 2018-11-02 05:24:54 +01:00			`_Fix invalid wildcard certificate validation check_. This was a high-severity`
			`defect. It caused Node.js TLS clients to accept invalid wildcard certificates.`

doc: use consistent unordered list style Convert to asterisks when there are mixed styles in document. Addresses Markdownlint MD004 rule PR-URL: https://github.com/nodejs/node/pull/29516 Reviewed-By: David Carlier <devnexen@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> 2019-09-13 06:22:29 +02:00			`* [#5507](https://github.com/nodejs/node/pull/5507): _Fix a defect that makes`
doc: add SECURITY.md to readme.md This adds a SECURITY.md file and links to the security document per the request of @https://github.com/Trott at a recent SF Node meetup. PR-URL: https://github.com/nodejs/node/pull/24031 Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com> Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> 2018-11-02 05:24:54 +01:00			`the CacheBleed Attack possible_. Many, though not all, OpenSSL vulnerabilities`
			`in the TLS/SSL protocols also affect Node.js.`

doc: use consistent unordered list style Convert to asterisks when there are mixed styles in document. Addresses Markdownlint MD004 rule PR-URL: https://github.com/nodejs/node/pull/29516 Reviewed-By: David Carlier <devnexen@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> 2019-09-13 06:22:29 +02:00			`* [CVE-2016-2216](https://nodejs.org/en/blog/vulnerability/february-2016-security-releases/):`
doc: add SECURITY.md to readme.md This adds a SECURITY.md file and links to the security document per the request of @https://github.com/Trott at a recent SF Node meetup. PR-URL: https://github.com/nodejs/node/pull/24031 Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com> Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> 2018-11-02 05:24:54 +01:00			`_Fix defects in HTTP header parsing for requests and responses that can allow`
			`response splitting_. This was a remotely-exploitable defect in the Node.js`
			`HTTP implementation.`

			`When in doubt, please do send us a report.`