|
| 1 | +# Security Policies and Procedures |
| 2 | + |
| 3 | +This document outlines security procedures and general policies for the Express |
| 4 | +project. |
| 5 | + |
| 6 | + * [Reporting a Bug](#reporting-a-bug) |
| 7 | + * [Disclosure Policy](#disclosure-policy) |
| 8 | + * [Comments on this Policy](#comments-on-this-policy) |
| 9 | + |
| 10 | +## Reporting a Bug |
| 11 | + |
| 12 | +The Express team and community take all security bugs in Express seriously. |
| 13 | +Thank you for improving the security of Express. We appreciate your efforts and |
| 14 | +responsible disclosure and will make every effort to acknowledge your |
| 15 | +contributions. |
| 16 | + |
| 17 | +Report security bugs by emailing the lead maintainer in the Readme.md file. |
| 18 | + |
| 19 | +To ensure the timely response to your report, please ensure that the entirety |
| 20 | +of the report is contained within the email body and not solely behind a web |
| 21 | +link or an attachment. |
| 22 | + |
| 23 | +The lead maintainer will acknowledge your email within 48 hours, and will send a |
| 24 | +more detailed response within 48 hours indicating the next steps in handling |
| 25 | +your report. After the initial reply to your report, the security team will |
| 26 | +endeavor to keep you informed of the progress towards a fix and full |
| 27 | +announcement, and may ask for additional information or guidance. |
| 28 | + |
| 29 | +Report security bugs in third-party modules to the person or team maintaining |
| 30 | +the module. |
| 31 | + |
| 32 | +## Disclosure Policy |
| 33 | + |
| 34 | +When the security team receives a security bug report, they will assign it to a |
| 35 | +primary handler. This person will coordinate the fix and release process, |
| 36 | +involving the following steps: |
| 37 | + |
| 38 | + * Confirm the problem and determine the affected versions. |
| 39 | + * Audit code to find any potential similar problems. |
| 40 | + * Prepare fixes for all releases still under maintenance. These fixes will be |
| 41 | + released as fast as possible to npm. |
| 42 | + |
| 43 | +## The Express Threat Model |
| 44 | + |
| 45 | +We are currently working on a new version of the security model, the most updated version can be found [here](https://github.com/expressjs/security-wg/blob/main/docs/ThreatModel.md) |
| 46 | + |
| 47 | +## Comments on this Policy |
| 48 | + |
| 49 | +If you have suggestions on how this process could be improved please submit a |
| 50 | +pull request. |
0 commit comments