This document outlines security procedures and general policies for the raw-body project.
The raw-body team and community take all security vulnerabilities seriously.
Thank you for improving the security of raw-body and related projects.
We appreciate your efforts in responsible disclosure and will make every effort
to acknowledge your contributions.
A member of the team will acknowledge your report as soon as possible. These timelines may extend when our triage volunteers are away on holiday, particularly at the end of the year.
After the initial response to your report, the owners commit to keeping you informed about the progress toward a fix and the final announcement, and they may request additional information or clarification during the process.
The preferred way to report security vulnerabilities is through GitHub Security Advisories. This allows us to collaborate on a fix while maintaining the confidentiality of the report.
To report a vulnerability (docs):
- Visit the Security tab of the affected repository on GitHub.
- Click Report a vulnerability and follow the provided steps.
If the security issue pertains to a third-party module, please report it to the maintainers of that module.
When the raw-body team receives a security bug report, they will assign it to a primary handler. This person will coordinate the fix and release process, involving the following steps:
- Confirm the problem and determine the affected versions.
- Audit code to find any potential similar problems.
- Prepare fixes for all releases still under maintenance. These fixes will be released as fast as possible to npm.
If you have suggestions on how this process could be improved please submit a pull request.