nodejs · mhdawson · Dec 14, 2022 · Nov 29, 2022 · Nov 29, 2022 · Nov 29, 2022
diff --git a/Nodejs-Bug-Bounty-Security-Fund.md b/Nodejs-Bug-Bounty-Security-Fund.md
@@ -0,0 +1,34 @@
+# Node.js Bug Bounty/Security Fund
+
+The TSC maintains a Linux Foundation Crowdfunding account to accept
+the project's share of bug bounties paid out by the
+[Hackerone](https://www.hackerone.com/) bug bounty program.
+
+The funds are to be used
+to encourage contributions to the project with respect to
+security and in particular the handling of vulnearabilities.
+
+This document outlines the use this account.
+
+## Account details
+
+The [account](https://crowdfunding.lfx.linuxfoundation.org/initiative/578a541a-4e7e-47a2-99b9-6cbf49b00c20)
+is associated with and Linux Foundation Crowdfunding account. The user id and password
+are shared with TSC members through 1password.
+
+## Disbursements
+
+Potential disbursements will be agreed through TSC discussion
+and before approval, documented in an issue in the
+[TSC repository](https://github.com/nodejs/TSC). The disbursement
+is considered approved once TSC consensus in the issue has
+been reached.
+
+Once a disbursement has been approved the recipient will open
+a request through the LFX account in the amout approved.
+
+The Chair of the Technical Steering committee will then
+"push the required buttons" in the LFX account to initiate
+the payout in accordance with the agreement reached in the
+TSC issue and if possible including a reference to the issue
+in the TSC repository.