New HackerOne Signal Requirement for Vulnerability Reports

We have updated our HackerOne program to require a Signal of 1.0 or higher to submit vulnerability reports to the Node.js project.

Why This Change

The Node.js security team has experienced a significant increase in low-quality reports. This trend has been increasing over the years, and over the holidays it crossed the threshold that we can actually handle. Between December 15th and January 15th, we received over 30 reports. Triaging these reports consumes time and energy that could be spent on legitimate security work.

By requiring a minimum Signal score, we ensure that reporters have a proven track record of submitting valid security reports, while still allowing newer researchers to participate with a limited number of submissions.

What This Means for You

• New researchers or researchers with signal >= 1.0: You can continue reporting vulnerabilities through HackerOne as usual
• Those below the threshold: You can still reach the security team through the OpenJS Foundation Slack. Contact us there to discuss potential vulnerabilities

About HackerOne Signal

Signal is HackerOne's reputation metric that reflects the quality of a researcher's past submissions. A higher Signal indicates a history of valid, impactful reports. This requirement helps us prioritize reports from researchers with demonstrated expertise while reducing the burden of triaging invalid submissions.

We appreciate the security community's understanding and continued collaboration in keeping Node.js secure.