Skip to content

doc: update bug bounty program#62590

Open
RafaelGSS wants to merge 1 commit intomainfrom
RafaelGSS-patch-1
Open

doc: update bug bounty program#62590
RafaelGSS wants to merge 1 commit intomainfrom
RafaelGSS-patch-1

Conversation

@RafaelGSS
Copy link
Copy Markdown
Member

@RafaelGSS RafaelGSS commented Apr 4, 2026

@nodejs-github-bot
Copy link
Copy Markdown
Collaborator

nodejs-github-bot commented Apr 4, 2026

Review requested:

  • @nodejs/tsc

@nodejs-github-bot nodejs-github-bot added the doc Issues and PRs related to the documentations. label Apr 4, 2026
@legendecas
Copy link
Copy Markdown
Member

legendecas commented Apr 4, 2026

Maybe this bug bounty section can be removed?

@MikeMcC399
Copy link
Copy Markdown
Contributor

MikeMcC399 commented Apr 4, 2026

... or to be consistent with the blog post, say "Security Bug Bounty Program Paused" and link to the blog post for details

@RafaelGSS
Copy link
Copy Markdown
Member Author

RafaelGSS commented Apr 4, 2026

It's best that AI-Sloop users see this explicitly, to avoid submitting invalid reports in an attempt at brute-force bounties.

mcollina
mcollina approved these changes Apr 4, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@aduh95 aduh95 added author ready PRs that have at least one approval, no pending requests for changes, and a CI started. commit-queue Add this label to land a pull request using GitHub Actions. labels Apr 5, 2026
marco-ippolito
marco-ippolito reviewed Apr 5, 2026
View reviewed changes
SECURITY.md
The Node.js project engages in an official bug bounty program for security
researchers and responsible public disclosures. The program is managed through
the HackerOne platform. See <https://hackerone.com/nodejs> for further details.
The Node.js project no longer has a bug bounty program.
Copy link
Copy Markdown
Member

@marco-ippolito marco-ippolito Apr 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would still mention hackerone though saying we have a program but dont pay bounties

Copy link
Copy Markdown
Contributor

@MikeMcC399 MikeMcC399 Apr 5, 2026
edited by aduh95
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's still mentioned in Line 5

node/SECURITY.md

Line 5 in 12249cc

Report security bugs in Node.js via [HackerOne](https://hackerone.com/nodejs).

Copy link
Copy Markdown
Contributor

@MikeMcC399 MikeMcC399 Apr 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://hackerone.com/nodejs is still showing an active bug bounty program, so currently it would be confusing to have a link to it in the section which says there is no longer a bug bounty program

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marco-ippolito marco-ippolito marco-ippolito left review comments

@mcollina mcollina mcollina approved these changes

@UlisesGascon UlisesGascon UlisesGascon approved these changes

@legendecas legendecas legendecas approved these changes

@BridgeAR BridgeAR BridgeAR approved these changes

@trivikr trivikr trivikr approved these changes

@gurgunday gurgunday gurgunday approved these changes

+1 more reviewer

@MikeMcC399 MikeMcC399 MikeMcC399 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

author ready PRs that have at least one approval, no pending requests for changes, and a CI started. commit-queue Add this label to land a pull request using GitHub Actions. doc Issues and PRs related to the documentations.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.