Blog: inform IBB program is paused (#8789)

RafaelGSS · avivkeller · web-flow · commit 621b5799bee1 · 2026-04-02T13:06:58.000Z
* Blog: inform IBB program is paused

* Update apps/site/pages/en/blog/announcements/discontinuing-security-bug-bounties.md

Co-authored-by: Aviv Keller &lt;me@aviv.sh&gt;
Signed-off-by: Rafael Gonzaga &lt;rafael.nunu@hotmail.com&gt;

* fixup! Blog: inform IBB program is paused

---------

Signed-off-by: Rafael Gonzaga &lt;rafael.nunu@hotmail.com&gt;
Co-authored-by: Aviv Keller &lt;me@aviv.sh&gt;
diff --git a/apps/site/pages/en/blog/announcements/discontinuing-security-bug-bounties.md b/apps/site/pages/en/blog/announcements/discontinuing-security-bug-bounties.md
@@ -0,0 +1,57 @@
+---
+date: '2026-04-02T12:00:00.000Z'
+category: announcements
+title: Security Bug Bounty Program Paused Due to Loss of Funding
+layout: blog-post
+author: The Node.js Project
+---
+
+The Node.js project's security bug bounty program is being paused due to the
+discontinuation of its external funding source.
+
+## Background
+
+Since 2016, the Node.js project has participated in the
+[Internet Bug Bounty (IBB)](https://www.hackerone.com/internet-bug-bounty) program
+through HackerOne, offering monetary rewards to security researchers who responsibly
+disclosed vulnerabilities in Node.js. The program was a meaningful part of our
+security ecosystem, and we're grateful to the researchers who participated.
+
+## Why
+
+The Internet Bug Bounty (IBB) program, which supported bounty rewards for Node.js
+through a pooled donation-funded initiative, has been paused.
+You can read more about the pause [here](https://hackerone.com/ibb?type=team).
+This decision was not made by the Node.js project.
+
+As a volunteer-driven open-source project, Node.js does not have an independent
+budget to sustain a bounty program on its own. Without external support, we are
+not able to offer monetary rewards for vulnerability reports at this time.
+
+## What This Means
+
+- **Security reporting remains unchanged.** We still accept and triage vulnerability
+  reports through [HackerOne](https://hackerone.com/nodejs). If you discover a
+  security issue, please continue to report it responsibly.
+- **No monetary rewards.** Reports will no longer be eligible for bounty payouts.
+- **Same commitment to security.** The Node.js Security Team continues to treat
+  security with the highest priority. Our disclosure policy, response times, and
+  release process remain the same.
+
+## A Thank You to Researchers
+
+We want to sincerely thank every researcher who has reported vulnerabilities through
+the bounty program over the years. Your contributions have made Node.js safer for
+millions of users. We hope you will continue to report security issues even without
+financial incentives — responsible disclosure is critical to the health of the
+open-source ecosystem.
+
+## Looking Ahead
+
+We will re-evaluate resuming the bounty program if dedicated funding becomes
+available again. If your organization depends on Node.js and is interested in
+sponsoring a bug bounty program, please reach out through the
+[OpenJS Foundation](https://openjsf.org/).
+
+For questions or to report a vulnerability, see our
+[security reporting page](/about/security-reporting).
