doc: clarify experimental platform vulnerability policy

mcollina · mcollina · commit 3b681fb65556 · 2025-08-23T12:27:11.000+02:00
Adds a new section to the threat model specifying that security
vulnerabilities affecting only experimental platforms will not be
accepted as valid security issues and will be treated as normal bugs.

This clarifies that experimental OS/hardware combinations do not
qualify for CVEs or bug bounty rewards, aligning with their limited
testing and support infrastructure.

Signed-off-by: Matteo Collina &lt;hello@matteocollina.com&gt;
diff --git a/SECURITY.md b/SECURITY.md
@@ -102,6 +102,22 @@ vulnerability in the context of the Node.js threat model. In other
 words, it cannot assume that a trusted element (such as the operating
 system) has been compromised.
 
+### Experimental platforms
+
+Node.js maintains a tier-based support system for operating systems and
+hardware combinations (Tier 1, Tier 2, and Experimental). For platforms
+classified as "Experimental" in the [supported platforms](BUILDING.md#supported-platforms)
+documentation:
+
+* Security vulnerabilities will **not** be accepted as valid security issues
+* Problems on experimental platforms will be treated as normal bugs
+* No CVEs will be issued for issues that only affect experimental platforms
+* Bug bounty rewards are not available for experimental platform-specific issues
+
+This policy recognizes that experimental platforms may not compile, may not
+pass the test suite, and do not have the same level of testing and support
+infrastructure as Tier 1 and Tier 2 platforms.
+
 Being able to cause the following through control of the elements that Node.js
 does not trust is considered a vulnerability:
 
