docs: add YesWeHack policy #90
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bjohansebas
reviewed
Jul 17, 2025
bjohansebas
reviewed
Jul 29, 2025
UlisesGascon
commented
Aug 7, 2025
UlisesGascon
commented
Aug 7, 2025
krzysdz
reviewed
Aug 7, 2025
This was referenced Aug 7, 2025
jonchurch
requested changes
Aug 18, 2025
ctcpip
reviewed
Aug 18, 2025
jonchurch
reviewed
Aug 18, 2025
wesleytodd
approved these changes
Aug 18, 2025
Co-authored-by: Wes Todd <wes@wesleytodd.com>
Co-authored-by: Jon Church <me@jonchurch.com>
UlisesGascon
commented
Aug 18, 2025
|
|
||
| ### Bug bounty description | ||
|
|
||
| | Scope Type | Scope | Asset value | |
Member
Author
There was a problem hiding this comment.
Note for myself: Check that the npm versions are correctly deprecated and aligned with the LTS plan. Only express was verified
efekrskl
reviewed
Oct 21, 2025
|
|
||
| The scope of this program spans multiple npm packages maintained by the Express.js team across three GitHub organizations ([expressjs](https://github.com/expressjs), [pillarjs](https://github.com/pillarjs) and [jshttp](https://github.com/jshttp)). These repositories contain the core modules, middleware components, and foundational utilities that power the Express.js ecosystem. | ||
|
|
||
| This bug bounty program is paid for by the [Sovereign Tech Resilience program](https://www.sovereigntechfund.de/programs/bug-resilience). |
Member
There was a problem hiding this comment.
This URL redirects with 301 to https://www.sovereign.tech/programs/bug-resilience. Maybe we could use that instead
efekrskl
reviewed
Oct 21, 2025
|
|
||
| ## Bug Bounty Program | ||
|
|
||
| The Express project participates in a paid bug bounty program funded by the [Sovereign Tech Resilience Program](https://www.sovereigntechfund.de/programs/bug-resilience) and hosted on YesWeHack. |
sheplu
requested changes
Nov 23, 2025
|
|
||
| ## Bug Bounty Program | ||
|
|
||
| The Express project participates in a paid bug bounty program funded by the [Sovereign Tech Resilience Program](https://www.sovereigntechfund.de/programs/bug-resilience) and hosted on YesWeHack. |
Member
There was a problem hiding this comment.
to update with the new STA name and url
| - Oversee the advisory & CVE request process if applicable. | ||
| - Escalate critical vulnerabilities when necessary. | ||
| - Track all security reports for visibility and reporting. | ||
| - Handle communications and disputes on the YesWeHack platform (if needed) |
Member
There was a problem hiding this comment.
do we want to keep the (if needed) ? I guess we will always communicate there is an issue was reported on YWH?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The program is not yet public (login and team addition is required) https://yeswehack.com/business-units/sovereign-tech-fund/programs/express-js-bug-bounty-program
This will require the review from the @expressjs/security-triage and @expressjs/express-tc. Also we will need to wait for the feedback from STF and YesWeHack team (before merging) 👍
Related