Skip to content

Commit

Permalink
doc: clarify reports are only evaluated on active versions
Browse files Browse the repository at this point in the history
PR-URL: #47341
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Beth Griggs <bethanyngriggs@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
  • Loading branch information
RafaelGSS authored and MoLow committed Jul 6, 2023
1 parent a8430ad commit 289a8e3
Showing 1 changed file with 6 additions and 5 deletions.
11 changes: 6 additions & 5 deletions SECURITY.md
Original file line number Diff line number Diff line change
Expand Up @@ -31,11 +31,12 @@ maintainers.
Here is the security disclosure policy for Node.js

* The security report is received and is assigned a primary handler. This
person will coordinate the fix and release process. The problem is confirmed
and a list of all affected versions is determined. Code is audited to find
any potential similar problems. Fixes are prepared for all releases which are
still under maintenance. These fixes are not committed to the public
repository but rather held locally pending the announcement.
person will coordinate the fix and release process. The problem is validated
against all supported Node.js versions. Once confirmed, a list of all affected
versions is determined. Code is audited to find any potential similar
problems. Fixes are prepared for all supported releases.
These fixes are not committed to the public repository but rather held locally
pending the announcement.

* A suggested embargo date for this vulnerability is chosen and a CVE (Common
Vulnerabilities and Exposures (CVE®)) is requested for the vulnerability.
Expand Down

0 comments on commit 289a8e3

Please sign in to comment.