Skip to content

Security: jackmurdoch/fastify

Security

SECURITY.md

Security Policy

This document describes the management of vulnerabilities for the Fastify project and its official plugins.

Reporting vulnerabilities

Individuals who find potential vulnerabilities in Fastify are invited to complete a vulnerability report via the dedicated HackerOne tool for Node.js modules: https://hackerone.com/nodejs-ecosystem.

How to report a vulnerability

It is of the utmost importance that you read carefully HOW TO REPORT A VULNERABILITY written by the Security Working Group of Node.js.

Handling vulnerability reports

When a potential vulnerability is reported and confirmed the Fastify Core Team will intervene in the follow-up stage of the process following the workflow and the timings described in the Security WG's document.

Vulnerabilities found outside this process

⚠ The Fastify project does not support any reporting outside the HackerOne process.

The Fastify Core team

The core team is responsible for the management of this process.

Members of this team are expected to keep all information that they have privileged access to by being on the team completely private to the team. This includes agreeing to not notify anyone outside the team of issues that have not yet been disclosed publicly, including the existence of issues, expectations of upcoming releases, and patching of any issues other than in the process of their work as a member of the Fastify Core team.

There aren’t any published security advisories