Node.js Security Bug Bounty Program Paused

Node.js Security Bug Bounty Program Paused(nodejs.org)

17 points by 0xedb 46 days ago | 2 comments

radku 45 days ago |

This could significantly impact security of large parts of web ecosystem.

Perhaps Node.js can switch to a VDP, no-bounty program. From Hacker One: "VDP is designed solely for receiving, validating, and addressing security reports without a paid bounty element"

uticus 41 days ago | |

They are using HackerOne, but not sure if VDP is part of the process.

> Security reporting remains unchanged. We still accept and triage vulnerability reports through HackerOne. If you discover a security issue, please continue to report it responsibly.