Skip to content

Commit

Permalink
doc: add SECURITY.md to readme.md
Browse files Browse the repository at this point in the history
This adds a SECURITY.md file and links to the security document per the
request of @https://github.com/Trott at a recent SF Node meetup.

PR-URL: #24031
Reviewed-By: Rich Trott <[email protected]>
Reviewed-By: Vse Mozhet Byt <[email protected]>
Reviewed-By: Refael Ackermann <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
  • Loading branch information
warnerp18 authored and targos committed Nov 5, 2018
1 parent e8078f2 commit fa84164
Show file tree
Hide file tree
Showing 2 changed files with 39 additions and 37 deletions.
39 changes: 2 additions & 37 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -159,43 +159,8 @@ source and a list of supported platforms.

## Security

If you find a security vulnerability in Node.js, please report it to
[email protected]. Please withhold public disclosure until after the security
team has addressed the vulnerability.

The security team will acknowledge your email within 24 hours. You will receive
a more detailed response within 48 hours.

There are no hard and fast rules to determine if a bug is worth reporting as a
security issue. Here are some examples of past issues and what the Security
Response Team thinks of them. When in doubt, please do send us a report
nonetheless.


### Public disclosure preferred

- [#14519](https://github.com/nodejs/node/issues/14519): _Internal domain
function can be used to cause segfaults_. Requires the ability to execute
arbitrary JavaScript code. That is already the highest level of privilege
possible.

### Private disclosure preferred

- [CVE-2016-7099](https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/):
_Fix invalid wildcard certificate validation check_. This was a high-severity
defect. It caused Node.js TLS clients to accept invalid wildcard certificates.

- [#5507](https://github.com/nodejs/node/pull/5507): _Fix a defect that makes
the CacheBleed Attack possible_. Many, though not all, OpenSSL vulnerabilities
in the TLS/SSL protocols also affect Node.js.

- [CVE-2016-2216](https://nodejs.org/en/blog/vulnerability/february-2016-security-releases/):
_Fix defects in HTTP header parsing for requests and responses that can allow
response splitting_. This was a remotely-exploitable defect in the Node.js
HTTP implementation.

When in doubt, please do send us a report.

For information on reporting security vulnerabilities in Node.js, see
[SECURITY.md](./SECURITY.md).

## Current Project Team Members

Expand Down
37 changes: 37 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
# Security

If you find a security vulnerability in Node.js, please report it to
[email protected]. Please withhold public disclosure until after the security
team has addressed the vulnerability.

The security team will acknowledge your email within 24 hours. You will receive
a more detailed response within 48 hours.

There are no hard and fast rules to determine if a bug is worth reporting as a
security issue. Here are some examples of past issues and what the Security
Response Team thinks of them. When in doubt, please do send us a report
nonetheless.

## Public disclosure preferred

- [#14519](https://github.com/nodejs/node/issues/14519): _Internal domain
function can be used to cause segfaults_. Requires the ability to execute
arbitrary JavaScript code. That is already the highest level of privilege
possible.

## Private disclosure preferred

- [CVE-2016-7099](https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/):
_Fix invalid wildcard certificate validation check_. This was a high-severity
defect. It caused Node.js TLS clients to accept invalid wildcard certificates.

- [#5507](https://github.com/nodejs/node/pull/5507): _Fix a defect that makes
the CacheBleed Attack possible_. Many, though not all, OpenSSL vulnerabilities
in the TLS/SSL protocols also affect Node.js.

- [CVE-2016-2216](https://nodejs.org/en/blog/vulnerability/february-2016-security-releases/):
_Fix defects in HTTP header parsing for requests and responses that can allow
response splitting_. This was a remotely-exploitable defect in the Node.js
HTTP implementation.

When in doubt, please do send us a report.

0 comments on commit fa84164

Please sign in to comment.