From 7e9d8197c1a6bc649fd9cdecbcbfc4dbfe9597b8 Mon Sep 17 00:00:00 2001 From: Rafael Gonzaga Date: Fri, 31 Mar 2023 10:28:44 -0300 Subject: [PATCH] doc: clarify reports are only evaluated on active versions --- SECURITY.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index acf83434de4e79..a347c07edd07bf 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -31,9 +31,10 @@ maintainers. Here is the security disclosure policy for Node.js * The security report is received and is assigned a primary handler. This - person will coordinate the fix and release process. The problem is confirmed - and a list of all affected versions is determined. Code is audited to find - any potential similar problems. Fixes are prepared for all releases which are + person will coordinate the fix and release process. The problem is validated + against all supported Node.js versions. Once confirmed, a list of all affected + versions is determined. Code is audited to find any potential similar + problems. Fixes are prepared for all releases which are still under maintenance. These fixes are not committed to the public repository but rather held locally pending the announcement.