Mirrors/node
1
0
Fork 0
mirror of https://github.com/nodejs/node.git synced 2025-12-28 07:50:41 +00:00
Code Issues Actions 17 Packages Projects Releases Wiki Activity

doc: exclude compile-time flag features from security policy
Some checks are pending
Coverage Linux (without intl) / coverage-linux-without-intl (push) Waiting to run
Details
Coverage Linux / coverage-linux (push) Waiting to run
Details
Coverage Windows / coverage-windows (push) Waiting to run
Details
Test and upload documentation to artifacts / build-docs (push) Waiting to run
Details
Linters / lint-addon-docs (push) Waiting to run
Details
Linters / lint-cpp (push) Waiting to run
Details
Linters / format-cpp (push) Waiting to run
Details
Linters / lint-js-and-md (push) Waiting to run
Details
Linters / lint-nix (push) Waiting to run
Details
Linters / lint-py (push) Waiting to run
Details
Linters / lint-yaml (push) Waiting to run
Details
Linters / lint-sh (push) Waiting to run
Details
Linters / lint-codeowners (push) Waiting to run
Details
Linters / lint-pr-url (push) Waiting to run
Details
Linters / lint-readme (push) Waiting to run
Details
Notify on Push / Notify on Force Push on `main` (push) Waiting to run
Details
Notify on Push / Notify on Push on `main` with invalid message (push) Waiting to run
Details
Scorecard supply-chain security / Scorecard analysis (push) Waiting to run
Details

Browse Source 
Add a new section to the security model clarifying that experimental
features behind compile-time flags are not covered by the vulnerability
reporting policy. These features are intended for development only and
are not enabled in official releases.

PR-URL: https://github.com/nodejs/node/pull/61109
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
This commit is contained in:
Matteo Collina 2025-12-20 11:21:03 +01:00 committed by GitHub
parent 9a6e55ab3d
commit 0a5418088f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 20 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
SECURITY.md
View File

@ -125,6 +125,26 @@ This policy recognizes that experimental platforms may not compile, may not
pass the test suite, and do not have the same level of testing and support
infrastructure as Tier 1 and Tier 2 platforms.
### Experimental features behind compile-time flags
Node.js includes certain experimental features that are only available when
Node.js is compiled with specific flags. These features are intended for
development, debugging, or testing purposes and are not enabled in official
releases.
* Security vulnerabilities that only affect features behind compile-time flags
will **not** be accepted as valid security issues.
* Any issues with these features will be treated as normal bugs.
* No CVEs will be issued for issues that only affect compile-time flag features.
* Bug bounty rewards are not available for compile-time flag feature issues.
This policy recognizes that experimental features behind compile-time flags
are not ready for public consumption and may have incomplete implementations,
missing security hardening, or other limitations that make them unsuitable
for production use.
### What constitutes a vulnerability
Being able to cause the following through control of the elements that Node.js
does not trust is considered a vulnerability: