nodejs · nodejs-github-bot · Aug 25, 2025 · Aug 23, 2025 · Aug 23, 2025
diff --git a/SECURITY.md b/SECURITY.md
@@ -102,6 +102,22 @@ vulnerability in the context of the Node.js threat model. In other
 words, it cannot assume that a trusted element (such as the operating
 system) has been compromised.
 
+### Experimental platforms
+
+Node.js maintains a tier-based support system for operating systems and
+hardware combinations (Tier 1, Tier 2, and Experimental). For platforms
+classified as "Experimental" in the [supported platforms](BUILDING.md#supported-platforms)
+documentation:
+
+* Security vulnerabilities that only affect experimental platforms will **not** be accepted as valid security issues.
+* Any issues on experimental platforms will be treated as normal bugs.
+* No CVEs will be issued for issues that only affect experimental platforms
+* Bug bounty rewards are not available for experimental platform-specific issues
+
+This policy recognizes that experimental platforms may not compile, may not
+pass the test suite, and do not have the same level of testing and support
+infrastructure as Tier 1 and Tier 2 platforms.
+
 Being able to cause the following through control of the elements that Node.js
 does not trust is considered a vulnerability: