Skip to content
Node.js Security Working Group
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
.github docs(processes) add triage-team-only offboarding checklist (#326) Jul 2, 2018
__mocks__ test(vuln_valid): add tests for vuln_valid (#471) Feb 23, 2019
__tests__/tools test(vuln_valid): add tests for vuln_valid (#471) Feb 23, 2019
meetings doc: add minutes for April 20, 2019 Jun 4, 2019
processes docs(process): coc review notes (#540) Jun 14, 2019
tools feat(tools): add tooling for creating vuln index files (#489) Mar 16, 2019
.gitignore Add CI to validate vulnerability format (#102) Mar 23, 2018
.travis.yml fix(travis): remove deprecated sudo configuration (#518) Apr 15, 2019 Updated link to Code of conduct Oct 31, 2017 docs: update link in document (#466) Jan 2, 2019 docs: removing year from license (#465) Jan 2, 2019 Added Ron Perris to the list of current team members. #490 (#492) Feb 25, 2019
package-lock.json update axios to 0.19.0 (#538) Jun 1, 2019
package.json update axios to 0.19.0 (#538) Jun 1, 2019

Node.js Security WG Security WG Meetings Security WG Twitter Hashtag GitHub Logo Security Responsible Disclosure

Security Working Group

Table of Contents


The Security Working Group manages all aspects and processes linked to Node.js security.

Responsibilities include:

  • Define and maintain security policies and procedures for:
    • the core Node.js project
    • other projects maintained by the Node.js Technical Steering Committee (TSC).
  • Work with the Node Security Platform to bring community vulnerability data into the foundation as a shared asset.
  • Ensure the vulnerability data is updated in an efficient and timely manner. For example, ensuring there are well-documented processes for reporting vulnerabilities in community modules.
  • Review and recommend processes for handling of security reports (but not the actual administration of security reports, which are reviewed by a group of people directly delegated to by the TSC).
  • Define and maintain policies and procedures for the coordination of security concerns within the external Node.js open source ecosystem.
  • Offer help to npm package maintainers to fix high-impact security bugs.
  • Maintain and make available data on disclosed security vulnerabilities in:
    • the core Node.js project
    • other projects maintained by the Node.js Foundation technical group
    • the external Node.js open source ecosystem
  • Promote the improvement of security practices within the Node.js ecosystem.
  • Recommend security improvements for the core Node.js project.
  • Facilitate and promote the expansion of a healthy security service and product provider ecosystem.

Private Node.js core security group

The Node.js Security Working Group is not responsible for managing incoming security reports to the address, nor is it privy to or responsible for preparing embargoed security patches and releases.

The Node.js TSC maintains primary responsibility for the management of private security activities for Node.js core but relies on the Node.js Security Working Group to recommend and help maintain policies and procedures for that management.

Node.js Bug Bounty Program

The Node.js project engages in an official bug bounty program for security researchers and responsible public disclosures.

The program is managed through the HackerOne platform at with further details.

Participate in Responsible Security Disclosure

As a module author you can provide your users with security guidelines regarding any exposures and vulnerabilities in your project, based on a responsible dislcosure policy document we've already put in place.

You can show your users you take security matters seriously and drive higher confidence by following any of the below suggested actions:

  1. Adding a file in your repository that you can copy&paste from us. Just like having a contribution of code of conduct guidelines, a security guideline will help user or bug hunters with the process of reporting a vulnerability or security concern they would like to share.

  2. Adding our Responsible Security Dislosure badge to your project's README which links to the document.

Current Project Team Members

Emeritus Members

Code of Conduct

The Node.js Code of Conduct applies to this WG.

Moderation Policy

The Node.js Moderation Policy applies to this WG.

You can’t perform that action at this time.