The Node.js project will complete the winding down of the ecosystem vulnerability reporting program beginning the week of May 18th. This DOES NOT affect the process for reporting vulnerabilities in the Node.js project itself. Those will continue to be handled through our HackerOne program and can be reported as described in https://github.com/nodejs/node/blob/master/SECURITY.md.
The Node.js project started accepting vulnerability reports for ecosystem modules in 2016 after the Node.js Security project donated its database to the project. You can read the background “We’re donating the Node Security Project to the Node.js Foundation.” The vulnerabilities were triaged by volunteer members of the Ecosystem Security working group.
We are so grateful for all the volunteers who have contributed to the triaging over the years. A lot has changed since then, both in terms of the number of volunteers within the Node.js project available to handle and triage incoming reports promptly, as well as the number of alternatives for reporting such vulnerabilities. A few months back, the program stopped accepting vulnerability reports for ecosystem modules and we started looking for a new home for the existing reports that we have received.
We’d like to thank Snyk for agreeing to take on the existing vulnerability backlog. To avoid any issues with data ownership and confidentiality, our current plan for the handover is to close the existing reports with instructions that point to the link for reporting the vulnerability to Snyk. If you’ve reported a vulnerability to the ecosystem program and it has not yet been handled, you can expect it to be closed with the following comment:
“The ecosystem vulnerability program within the Node.js project is winding down and Snyk has agreed to take on the backlog. This report will be closed and we ask that you report it to Snyk through:
https://snyk.io/vulnerability-disclosure/
We understand this is an extra step for you and appreciate your effort as we believe this is the most effective way to complete the handover while protecting your privacy and the data associated with your report. You can read more about this in <link to this blog post>”
