Update reference for bug bounty program for node core #169
Conversation
README.md
Outdated
| @@ -52,6 +52,13 @@ security activities for Node.js core but relies on the Node.js Security Working | |||
| Group to recommend and help maintain policies and procedures for that | |||
| management. | |||
|
|
|||
| ### Node.js Bug Bounty Program | |||
|
|
|||
| The Node.js project engages in an official bug bounty program for security researches and responsible public disclosures. | |||
README.md
Outdated
|
|
||
| The Node.js project engages in an official bug bounty program for security researches and responsible public disclosures. | ||
|
|
||
| The program is managed through the HackerOne platform at [https://hackerone.com/nodejs](https://hackerone.com/nodejs) with further details. |
There was a problem hiding this comment.
Maybe ...platform. You can find more details on this page: [https...
There was a problem hiding this comment.
do you mean this?
The program is managed through the HackerOne platform.
You can find more details on this page: https://hackerone.com/nodejs
README.md
Outdated
| @@ -52,6 +52,13 @@ security activities for Node.js core but relies on the Node.js Security Working | |||
| Group to recommend and help maintain policies and procedures for that | |||
| management. | |||
|
|
|||
| ### Node.js Bug Bounty Program | |||
|
|
|||
| The Node.js project engages in an official bug bounty program for security researches and responsible public disclosures. | |||
There was a problem hiding this comment.
Whoops, @mhdawson beat me to it :)
README.md
Outdated
|
|
||
| The Node.js project engages in an official bug bounty program for security researches and responsible public disclosures. | ||
|
|
||
| The program is managed through the HackerOne platform at [https://hackerone.com/nodejs](https://hackerone.com/nodejs) with further details. |
There was a problem hiding this comment.
if the URL is the same as the text, how about just putting it in angle brackets like:
the HackerOne platform at <https://hackerone.com/nodejs>
There was a problem hiding this comment.
In other places we just use the URL so I'll change it to plain text
|
@mhdawson can you check my reply to your suggestion, I'm not sure I understood it. |
|
We should wait to land this until we clarify if/when core will start using Hacker one for reporting. |
|
@lirantal should be good to land now :-) |
|
Also submitted nodejs/nodejs.org#1627 |
|
Yes! Awesome and thanks @reedloden for PRing to the website 👏 |
|
Anyone want to send me a check for my path REDOS disclosures? ;-) |
|
@davisjam The bug bounty program is only for security issues that affect Node.js core itself, not any third-party node modules. |
|
@reedloden I am referring to this high-severity REDOS issue I reported in the core |
|
@davisjam ah, neat. My apologies. I know the NSP had reported a bunch of ReDoS issues in third-party modules, so thought it was related to something similar. In any case, the program is not retroactive, so any already reported and fixed issues are not eligible. However, new issues that meet the minimum bar will be eligible. :-) |
Follow-up from #49
Updates necessary:
/nodejs-ecosystemto refer researches to/nodejsfor core Node.js issuesAbove makes sense? any other?