diff options
| author | Rich Trott <rtrott@gmail.com> | 2017-12-31 20:54:56 -0800 |
|---|---|---|
| committer | Rich Trott <rtrott@gmail.com> | 2018-01-03 17:19:58 -0800 |
| commit | c3e75ae0ee97553f5f9c4150c936ae9d81fca558 (patch) | |
| tree | 49bff2fe7833932798be4ff5e2fd6dffa2d070d7 /README.md | |
| parent | 26607b825ebebe78a182951af164fd1e319dfe27 (diff) | |
| download | node-new-c3e75ae0ee97553f5f9c4150c936ae9d81fca558.tar.gz | |
doc: improve security section of README.md
* Remove fluff text and get to the point: Report security flaws to
security@nodejs.org. Please do not disclose security flaws publicly
until they have been handled by the security team.
* Fix somewhat confusing paragraph that says there are no "hard
and fast rules" but then uses _must_ in the context of a "general
rule". Easiest solution seems to be to change _must_ to _should_.
* Minor style change (_you will_ instead of _you'll_)
PR-URL: https://github.com/nodejs/node/pull/17929
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com>
Reviewed-By: Jon Moss <me@jonathanmoss.me>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Diffstat (limited to 'README.md')
| -rw-r--r-- | README.md | 17 |
1 files changed, 8 insertions, 9 deletions
@@ -169,20 +169,19 @@ officially supported platforms. ## Security -All security bugs in Node.js are taken seriously and should be reported by -emailing security@nodejs.org. This will be delivered to a subset of the project -team who handle security issues. Please don't disclose security bugs -publicly until they have been handled by the security team. +Security flaws in Node.js should be reported by emailing security@nodejs.org. +Please do not disclose security bugs publicly until they have been handled by +the security team. -Your email will be acknowledged within 24 hours, and you’ll receive a more +Your email will be acknowledged within 24 hours, and you will receive a more detailed response to your email within 48 hours indicating the next steps in handling your report. There are no hard and fast rules to determine if a bug is worth reporting as -a security issue. The general rule is any issue worth reporting -must allow an attacker to compromise the confidentiality, integrity -or availability of the Node.js application or its system for which the attacker -does not already have the capability. +a security issue. The general rule is an issue worth reporting should allow an +attacker to compromise the confidentiality, integrity, or availability of the +Node.js application or its system for which the attacker does not already have +the capability. To illustrate the point, here are some examples of past issues and what the Security Response Team thinks of them. When in doubt, however, please do send |