This document describes the management of vulnerabilities for the Fastify project and it's officials' plugins.

Individuals who find potential vulnerabilities in Fastify are invited to complete a vulnerability report via the dedicated HackerOne tool for Node.js modules: https://hackerone.com/nodejs-ecosystem.

It is of the utmost importance that you read carefully HOW TO REPORT A VULNERABILIY written by the Security Working Group of Node.js.

When a potential vulnerability is reported and confirmed the Fastify Core Team will intervene in the follow-up stage of the process following the workflow and the timings described in the Security WG's document.

⚠ The Fastify project does not support any reporting outside the HackerOne process.

The core team is responsible for the management of this process.

Members of this team are expected to keep all information that they have privileged access to by being on the team completely private to the team. This includes agreeing to not notify anyone outside the team of issues that have not yet been disclosed publicly, including the existence of issues, expectations of upcoming releases, and patching of any issues other than in the process of their work as a member of the Fastify Core team.