doc: add security escalation policy

PR-URL: https://github.com/nodejs/node/pull/59806 Refs: https://github.com/openjs-foundation/cross-project-council/pull/1588 Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Richard Lau <richard.lau@ibm.com> Reviewed-By: James M Snell <jasnell@gmail.com>
2025-12-28 07:50:41 +00:00 · 2025-09-15 08:54:35 +02:00 · 2025-09-15 08:54:35 +02:00 · 15c276d59c
commit 15c276d59c
parent 58f408f528
1 changed files with 7 additions and 0 deletions
--- a/SECURITY.md
+++ b/SECURITY.md
@ -15,6 +15,13 @@ you informed of the progress being made towards a fix and full announcement,
 and may ask for additional information or guidance surrounding the reported
 issue.

+If you do not receive an acknowledgement of your report within 6 business
+days, or if you cannot find a private security contact for the project, you
+may escalate to the OpenJS Foundation CNA at `security@lists.openjsf.org`.
+
+If the project acknowledges your report but does not provide any further
+response or engagement within 14 days, escalation is also appropriate.
+
 ### Node.js bug bounty program

 The Node.js project engages in an official bug bounty program for security