The Node.js project's security bug bounty program has been paused following the discontinuation of external funding from the Internet Bug Bounty initiative. This affects monetary rewards for security vulnerability reports, though Node.js will still accept and triage reports.
The Node.js project's security bug bounty program, active since 2016, has been halted due to the lack of external funding. It was previously supported by the Internet Bug Bounty (IBB) program through a pooled funding approach via HackerOne.
The decision to pause the program comes as the IBB has also been paused, affecting monetary incentives for security researchers.
Despite the lack of funding for financial incentives, the Node.js Security Team maintains its commitment to security. They continue to accept and triage vulnerability reports through HackerOne, emphasizing the importance of responsible vulnerability disclosure on the health of the open-source ecosystem.
Researchers are encouraged to report security issues but will no longer receive bug bounty payouts. Node.js hopes the community will continue to prioritize security reporting.
The Node.js project expressed gratitude towards security researchers who have contributed to the program, highlighting their role in enhancing the security of Node.js for millions of users.
The team indicates a willingness to reassess the bounty program's continuation if dedicated funding becomes available again and invites organizations interested in sponsoring to reach out.
β¨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β check the original sources. How BrevFeed works β
The Node.js project's security bug bounty program has been paused following the discontinuation of external funding from the Internet Bug Bounty initiative. This affects monetary rewards for security vulnerability reports, though Node.js will still accept and triage reports.