doc: clarify experimental platform vulnerability policy

Adds a new section to the threat model specifying that security vulnerabilities affecting only experimental platforms will not be accepted as valid security issues and will be treated as normal bugs. This clarifies that experimental OS/hardware combinations do not qualify for CVEs or bug bounty rewards, aligning with their limited testing and support infrastructure. Signed-off-by: Matteo Collina <[email protected]>
nodejs · nodejs-github-bot · Aug 25, 2025 · Aug 23, 2025 · Aug 23, 2025 · Aug 23, 2025
commit 3b681fb65556fcb86c37d66e6675b1fb7d255ecd
diff --git a/SECURITY.md b/SECURITY.md
@@ -102,6 +102,22 @@ vulnerability in the context of the Node.js threat model. In other
 words, it cannot assume that a trusted element (such as the operating
 system) has been compromised.
 
+### Experimental platforms
+
+Node.js maintains a tier-based support system for operating systems and
+hardware combinations (Tier 1, Tier 2, and Experimental). For platforms
+classified as "Experimental" in the [supported platforms](BUILDING.md#supported-platforms)
+documentation:
+
+* Security vulnerabilities will **not** be accepted as valid security issues
+* Problems on experimental platforms will be treated as normal bugs
+* No CVEs will be issued for issues that only affect experimental platforms
+* Bug bounty rewards are not available for experimental platform-specific issues
+
+This policy recognizes that experimental platforms may not compile, may not
+pass the test suite, and do not have the same level of testing and support
+infrastructure as Tier 1 and Tier 2 platforms.
+
 Being able to cause the following through control of the elements that Node.js
 does not trust is considered a vulnerability: