From 3d1ad8127b7ba23723695c4c3a5205611656d536 Mon Sep 17 00:00:00 2001 From: Create or Update Pull Request Action Date: Mon, 16 Jun 2025 08:01:00 +0000 Subject: [PATCH 1/2] update external docs --- en/resources/contributing.md | 56 +----------------------------------- 1 file changed, 1 insertion(+), 55 deletions(-) diff --git a/en/resources/contributing.md b/en/resources/contributing.md index 03b5fad1d6..a0b188b64a 100644 --- a/en/resources/contributing.md +++ b/en/resources/contributing.md @@ -278,61 +278,7 @@ visibility or maintainer input. -This document outlines security procedures and general policies for the Express -project. - - * [Reporting a Bug](#reporting-a-bug) - * [Disclosure Policy](#disclosure-policy) - * [Comments on this Policy](#comments-on-this-policy) - -### Reporting a Bug - -The Express team and community take all security bugs in Express seriously. -Thank you for improving the security of Express. We appreciate your efforts and -responsible disclosure and will make every effort to acknowledge your -contributions. - -Report security bugs by emailing `express-security@lists.openjsf.org`. - -To ensure the timely response to your report, please ensure that the entirety -of the report is contained within the email body and not solely behind a web -link or an attachment. - -The lead maintainer will acknowledge your email within 48 hours, and will send a -more detailed response within 48 hours indicating the next steps in handling -your report. After the initial reply to your report, the security team will -endeavor to keep you informed of the progress towards a fix and full -announcement, and may ask for additional information or guidance. - -Report security bugs in third-party modules to the person or team maintaining -the module. - -### Pre-release Versions - -Alpha and Beta releases are unstable and **not suitable for production use**. -Vulnerabilities found in pre-releases should be reported according to the [Reporting a Bug](#reporting-a-bug) section. -Due to the unstable nature of the branch it is not guaranteed that any fixes will be released in the next pre-release. - -### Disclosure Policy - -When the security team receives a security bug report, they will assign it to a -primary handler. This person will coordinate the fix and release process, -involving the following steps: - - * Confirm the problem and determine the affected versions. - * Audit code to find any potential similar problems. - * Prepare fixes for all releases still under maintenance. These fixes will be - released as fast as possible to npm. - -### The Express Threat Model - -We are currently working on a new version of the security model, the most updated version can be found [here](https://github.com/expressjs/security-wg/blob/main/docs/ThreatModel.md) - -### Comments on this Policy - -If you have suggestions on how this process could be improved please submit a -pull request. - +404: Not Found ---- # Contributing to Expressjs.com {#expressjs-website-contributing} From 210cac4ecff498fb16b51beb90380ab0fed956d6 Mon Sep 17 00:00:00 2001 From: Sebastian Beltran Date: Sat, 21 Jun 2025 00:35:25 +0000 Subject: [PATCH 2/2] fix location of security file --- en/resources/contributing.md | 58 ++++++++++++++++++++++++++++++++++-- 1 file changed, 56 insertions(+), 2 deletions(-) diff --git a/en/resources/contributing.md b/en/resources/contributing.md index a0b188b64a..b7ccf7b48b 100644 --- a/en/resources/contributing.md +++ b/en/resources/contributing.md @@ -276,9 +276,63 @@ not need high visibility or maintainer input. ## Security Policies and Procedures - + + +This document outlines security procedures and general policies for the Express +project. + + * [Reporting a Bug](#reporting-a-bug) + * [Disclosure Policy](#disclosure-policy) + * [Comments on this Policy](#comments-on-this-policy) + +### Reporting a Bug + +The Express team and community take all security bugs in Express seriously. +Thank you for improving the security of Express. We appreciate your efforts and +responsible disclosure and will make every effort to acknowledge your +contributions. + +Report security bugs by emailing `express-security@lists.openjsf.org`. + +To ensure the timely response to your report, please ensure that the entirety +of the report is contained within the email body and not solely behind a web +link or an attachment. + +The lead maintainer will acknowledge your email within 48 hours, and will send a +more detailed response within 48 hours indicating the next steps in handling +your report. After the initial reply to your report, the security team will +endeavor to keep you informed of the progress towards a fix and full +announcement, and may ask for additional information or guidance. + +Report security bugs in third-party modules to the person or team maintaining +the module. + +### Pre-release Versions + +Alpha and Beta releases are unstable and **not suitable for production use**. +Vulnerabilities found in pre-releases should be reported according to the [Reporting a Bug](#reporting-a-bug) section. +Due to the unstable nature of the branch it is not guaranteed that any fixes will be released in the next pre-release. + +### Disclosure Policy + +When the security team receives a security bug report, they will assign it to a +primary handler. This person will coordinate the fix and release process, +involving the following steps: + + * Confirm the problem and determine the affected versions. + * Audit code to find any potential similar problems. + * Prepare fixes for all releases still under maintenance. These fixes will be + released as fast as possible to npm. + +### The Express Threat Model + +We are currently working on a new version of the security model, the most updated version can be found [here](https://github.com/expressjs/security-wg/blob/main/docs/ThreatModel.md) + +### Comments on this Policy + +If you have suggestions on how this process could be improved please submit a +pull request. -404: Not Found ---- # Contributing to Expressjs.com {#expressjs-website-contributing}