From 49d432d8fea439848bbe01f1c6fea56e00120fbc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Mon, 8 Sep 2025 13:05:22 +0200 Subject: [PATCH] doc: add security escalation policy --- SECURITY.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index 9862585a92391c..087ea563c9dfd4 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -15,6 +15,13 @@ you informed of the progress being made towards a fix and full announcement, and may ask for additional information or guidance surrounding the reported issue. +If you do not receive an acknowledgement of your report within 6 business +days, or if you cannot find a private security contact for the project, you +may escalate to the OpenJS Foundation CNA at `security@lists.openjsf.org`. + +If the project acknowledges your report but does not provide any further +response or engagement within 14 days, escalation is also appropriate. + ### Node.js bug bounty program The Node.js project engages in an official bug bounty program for security