blob: 5f1e3e2cc7d5630736e98e3920de99b95e211848 (plain
If you find a security vulnerability in Node.js, please report it to
firstname.lastname@example.org. Please withhold public disclosure until after the security
team has addressed the vulnerability.
The security team will acknowledge your email within 24 hours. You will receive
a more detailed response within 48 hours.
There are no hard and fast rules to determine if a bug is worth reporting as a
security issue. Here are some examples of past issues and what the Security
Response Team thinks of them. When in doubt, please do send us a report
## Public disclosure preferred
- [#14519](https://github.com/nodejs/node/issues/14519): _Internal domain
function can be used to cause segfaults_. Requires the ability to execute
## Private disclosure preferred
_Fix invalid wildcard certificate validation check_. This was a high-severity
defect. It caused Node.js TLS clients to accept invalid wildcard certificates.
- [#5507](https://github.com/nodejs/node/pull/5507): _Fix a defect that makes
the CacheBleed Attack possible_. Many, though not all, OpenSSL vulnerabilities
in the TLS/SSL protocols also affect Node.js.
_Fix defects in HTTP header parsing for requests and responses that can allow
response splitting_. This was a remotely-exploitable defect in the Node.js
When in doubt, please do send us a report.