2 comments

[ 1.9 ms ] story [ 19.1 ms ] thread
This could significantly impact security of large parts of web ecosystem.

Perhaps Node.js can switch to a VDP, no-bounty program. From Hacker One: "VDP is designed solely for receiving, validating, and addressing security reports without a paid bounty element"

They are using HackerOne, but not sure if VDP is part of the process.

> Security reporting remains unchanged. We still accept and triage vulnerability reports through HackerOne. If you discover a security issue, please continue to report it responsibly.