உள்ளடக்கத்திற்குச் செல்லவும்

Security Bug Bounty Program Paused Due to Loss of Funding

TNJP

The Node.js Project

The Node.js project's security bug bounty program is being paused due to the discontinuation of its external funding source.

Background

Since 2016, the Node.js project has participated in the Internet Bug Bounty (IBB) program through HackerOne, offering monetary rewards to security researchers who responsibly disclosed vulnerabilities in Node.js. The program was a meaningful part of our security ecosystem, and we're grateful to the researchers who participated.

Why

The Internet Bug Bounty (IBB) program, which supported bounty rewards for Node.js through a pooled donation-funded initiative, has been paused. You can read more about the pause here. This decision was not made by the Node.js project.

As a volunteer-driven open-source project, Node.js does not have an independent budget to sustain a bounty program on its own. Without external support, we are not able to offer monetary rewards for vulnerability reports at this time.

What This Means

  • Security reporting remains unchanged. We still accept and triage vulnerability reports through HackerOne. If you discover a security issue, please continue to report it responsibly.
  • No monetary rewards. Reports will no longer be eligible for bounty payouts.
  • Same commitment to security. The Node.js Security Team continues to treat security with the highest priority. Our disclosure policy, response times, and release process remain the same.

A Thank You to Researchers

We want to sincerely thank every researcher who has reported vulnerabilities through the bounty program over the years. Your contributions have made Node.js safer for millions of users. We hope you will continue to report security issues even without financial incentives — responsible disclosure is critical to the health of the open-source ecosystem.

Looking Ahead

We will re-evaluate resuming the bounty program if dedicated funding becomes available again. If your organization depends on Node.js and is interested in sponsoring a bug bounty program, please reach out through the OpenJS Foundation.

For questions or to report a vulnerability, see our security reporting page.

அடுத்ததுEvolving the Node.js Release Schedule