Node.js Security Bug Bounty Program Paused (opens in new tab)

(nodejs.org)

17 points0xedb1mo ago2 comments

2 comments

This could significantly impact security of large parts of web ecosystem.

Perhaps Node.js can switch to a VDP, no-bounty program. From Hacker One: "VDP is designed solely for receiving, validating, and addressing security reports without a paid bounty element"

uticus1mo ago

They are using HackerOne, but not sure if VDP is part of the process.

> Security reporting remains unchanged. We still accept and triage vulnerability reports through HackerOne. If you discover a security issue, please continue to report it responsibly.

j / k navigate · click thread line to collapse

2 comments

radku1mo ago

This could significantly impact security of large parts of web ecosystem.

Perhaps Node.js can switch to a VDP, no-bounty program. From Hacker One: "VDP is designed solely for receiving, validating, and addressing security reports without a paid bounty element"

uticus1mo ago

They are using HackerOne, but not sure if VDP is part of the process.

> Security reporting remains unchanged. We still accept and triage vulnerability reports through HackerOne. If you discover a security issue, please continue to report it responsibly.

j / k navigate · click thread line to collapse