Skip to content

Commit

Permalink
doc: describe what security issues are
Browse files Browse the repository at this point in the history
PR-URL: #14485
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
  • Loading branch information
sam-github authored and MylesBorins committed Sep 21, 2017
1 parent ec84335 commit 7dcce65
Showing 1 changed file with 45 additions and 0 deletions.
45 changes: 45 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -172,6 +172,51 @@ Your email will be acknowledged within 24 hours, and you’ll receive a more
detailed response to your email within 48 hours indicating the next steps in
handling your report.

There are no hard and fast rules to determine if a bug is worth reporting as
a security issue. The general rule is any issue worth reporting
must allow an attacker to compromise the confidentiality, integrity
or availability of the Node.js application or its system for which the attacker
does not already have the capability.

To illustrate the point, here are some examples of past issues and what the
Security Reponse Team thinks of them. When in doubt, however, please do send
us a report nonetheless.


### Public disclosure preferred

- [#14519](https://github.com/nodejs/node/issues/14519): _Internal domain
function can be used to cause segfaults_. Causing program termination using
either the public Javascript APIs or the private bindings layer APIs requires
the ability to execute arbitrary Javascript code, which is already the highest
level of privilege possible.

- [#12141](https://github.com/nodejs/node/pull/12141): _buffer: zero fill
Buffer(num) by default_. The buffer constructor behaviour was documented,
but found to be prone to [mis-use](https://snyk.io/blog/exploiting-buffer/).
It has since been changed, but despite much debate, was not considered misuse
prone enough to justify fixing in older release lines and breaking our
API stability contract.

### Private disclosure preferred

- [CVE-2016-7099](https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/):
_Fix invalid wildcard certificate validation check_. This is a high severity
defect that would allow a malicious TLS server to serve an invalid wildcard
certificate for its hostname and be improperly validated by a Node.js client.

- [#5507](https://github.com/nodejs/node/pull/5507): _Fix a defect that makes
the CacheBleed Attack possible_. Many, though not all, OpenSSL vulnerabilities
in the TLS/SSL protocols also effect Node.js.

- [CVE-2016-2216](https://nodejs.org/en/blog/vulnerability/february-2016-security-releases/):
_Fix defects in HTTP header parsing for requests and responses that can allow
response splitting_. While the impact of this vulnerability is application and
network dependent, it is remotely exploitable in the HTTP protocol.

When in doubt, please do send us a report.


## Current Project Team Members

The Node.js project team comprises a group of core collaborators and a sub-group
Expand Down

0 comments on commit 7dcce65

Please sign in to comment.