安全报告
¥Security Reporting
有关有效安全策略的更多详细信息,请查看 此页面。
¥For more details on active Security Policies, checkout this page.
报告 Node.js 中的漏洞
¥Reporting a bug in Node.js
通过 HackerOne 报告 Node.js 中的安全漏洞。
¥Report security bugs in Node.js via HackerOne.
你的报告将在 5 天内收到确认,你将在 10 天内收到更详细的响应,其中会说明后续处理步骤。
¥Your report will be acknowledged within 5 days, and you'll receive a more detailed response to your report within 10 days indicating the next steps in handling your submission.
在对你的报告进行初步响应后,安全团队将尽力向你通报修复和完整公告的进展情况,并可能要求你提供有关所报告问题的更多信息或指导。
¥After the initial reply to your report, the security team will endeavor to keep you informed of the progress being made towards a fix and full announcement, and may ask for additional information or guidance surrounding the reported issue.
Node.js 漏洞赏金计划
¥Node.js bug bounty program
Node.js 项目参与了面向安全研究人员和负责任的公开披露的官方漏洞赏金计划。该项目通过 HackerOne 平台进行管理。更多详情请参阅 https://hackerone.com/nodejs。
¥The Node.js project engages in an official bug bounty program for security researchers and responsible public disclosures. The program is managed through the HackerOne platform. See https://hackerone.com/nodejs for further details.
报告第三方模块中的漏洞
¥Reporting a bug in a third party module
第三方模块中的安全漏洞应报告给其各自的维护者。
¥Security bugs in third party modules should be reported to their respective maintainers.
信息披露政策
¥Disclosure policy
以下是 Node.js 的安全披露政策
¥Here is the security disclosure policy for Node.js
-
收到安全报告后,会指派一名主要处理人员。此人将协调修复和发布流程。问题已确认,所有受影响版本的列表已确定。代码已审核,以发现任何潜在的类似问题。所有仍在维护中的版本都已准备好修复。这些修复不会提交到公共代码库,而是在本地保存,等待公告发布。
¥The security report is received and is assigned a primary handler. This person will coordinate the fix and release process. The problem is confirmed and a list of all affected versions is determined. Code is audited to find any potential similar problems. Fixes are prepared for all releases which are still under maintenance. These fixes are not committed to the public repository but rather held locally pending the announcement.
-
我们已选定此漏洞的建议发布日期,并已申请该漏洞的 CVE(通用漏洞披露 (CVE®))。
¥A suggested embargo date for this vulnerability is chosen and a CVE (Common Vulnerabilities and Exposures (CVE®)) is requested for the vulnerability.
-
在禁令生效日期,Node.js 安全邮件列表将收到一份公告副本。更改将推送到公共仓库,新版本将部署到 nodejs.org。在邮件列表收到通知后的 6 小时内,公告副本将在 Node.js 博客上发布。
¥On the embargo date, the Node.js security mailing list is sent a copy of the announcement. The changes are pushed to the public repository and new builds are deployed to nodejs.org. Within 6 hours of the mailing list being notified, a copy of the advisory will be published on the Node.js blog.
-
通常,禁运日期将在 CVE 发布后 72 小时内设定。但是,这可能会根据错误的严重程度或修复难度而有所不同。
¥Typically the embargo date will be set 72 hours from the time the CVE is issued. However, this may vary depending on the severity of the bug or difficulty in applying a fix.
-
此过程可能需要一些时间,尤其是在需要与其他项目的维护者协调时。我们将尽一切努力尽快处理该错误;但是,我们必须遵循上述发布流程,以确保以一致的方式处理披露。
¥This process can take some time, especially when coordination is required with maintainers of other projects. Every effort will be made to handle the bug in as timely a manner as possible; however, it's important that we follow the release process above to ensure that the disclosure is handled in a consistent manner.
接收安全更新
¥Receiving security updates
安全通知将通过以下方式分发。
¥Security notifications will be distributed via the following methods.
对此政策的评论
¥Comments on this policy
如果你对如何改进此流程有任何建议,请提交 拉取请求 或 提交问题 进行讨论。
¥If you have suggestions on how this process could be improved please submit a pull request or file an issue to discuss.
OpenSSF 最佳实践
¥OpenSSF Best Practices
开源安全基金会 (OpenSSF) 最佳实践徽章 是自由/自由和开源软件 (FLOSS) 项目展示其遵循最佳实践的一种方式。项目可以自愿进行自我认证,以确认其遵循各项最佳实践的方式。徽章使用者可以快速评估哪些 FLOSS 项目遵循最佳实践,从而更有可能开发更高质量的安全软件。
¥The Open Source Security Foundation (OpenSSF) Best Practices badge is a way for Free/Libre and Open Source Software (FLOSS) projects to show that they follow best practices. Projects can voluntarily self-certify how they follow each best practice. Consumers of the badge can quickly assess which FLOSS projects are following best practices and as a result are more likely to produce higher-quality secure software.