From 3b681fb65556fcb86c37d66e6675b1fb7d255ecd Mon Sep 17 00:00:00 2001 From: Matteo Collina Date: Sat, 23 Aug 2025 12:26:34 +0200 Subject: [PATCH 1/2] doc: clarify experimental platform vulnerability policy Adds a new section to the threat model specifying that security vulnerabilities affecting only experimental platforms will not be accepted as valid security issues and will be treated as normal bugs. This clarifies that experimental OS/hardware combinations do not qualify for CVEs or bug bounty rewards, aligning with their limited testing and support infrastructure. Signed-off-by: Matteo Collina --- SECURITY.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index 0c7c1c3c3d313f..d894cf1201c272 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -102,6 +102,22 @@ vulnerability in the context of the Node.js threat model. In other words, it cannot assume that a trusted element (such as the operating system) has been compromised. +### Experimental platforms + +Node.js maintains a tier-based support system for operating systems and +hardware combinations (Tier 1, Tier 2, and Experimental). For platforms +classified as "Experimental" in the [supported platforms](BUILDING.md#supported-platforms) +documentation: + +* Security vulnerabilities will **not** be accepted as valid security issues +* Problems on experimental platforms will be treated as normal bugs +* No CVEs will be issued for issues that only affect experimental platforms +* Bug bounty rewards are not available for experimental platform-specific issues + +This policy recognizes that experimental platforms may not compile, may not +pass the test suite, and do not have the same level of testing and support +infrastructure as Tier 1 and Tier 2 platforms. + Being able to cause the following through control of the elements that Node.js does not trust is considered a vulnerability: From 2316c27fd92db4cdfeea645b725b394354d6f6b2 Mon Sep 17 00:00:00 2001 From: Matteo Collina Date: Sat, 23 Aug 2025 14:56:53 +0200 Subject: [PATCH 2/2] Update SECURITY.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Tobias Nießen --- SECURITY.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index d894cf1201c272..9862585a92391c 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -109,8 +109,8 @@ hardware combinations (Tier 1, Tier 2, and Experimental). For platforms classified as "Experimental" in the [supported platforms](BUILDING.md#supported-platforms) documentation: -* Security vulnerabilities will **not** be accepted as valid security issues -* Problems on experimental platforms will be treated as normal bugs +* Security vulnerabilities that only affect experimental platforms will **not** be accepted as valid security issues. +* Any issues on experimental platforms will be treated as normal bugs. * No CVEs will be issued for issues that only affect experimental platforms * Bug bounty rewards are not available for experimental platform-specific issues