Skip to content

SECURITY.md: remove outdated sections, explicitely state no CVE#38

Open
aduh95 wants to merge 1 commit into
mainfrom
refactor-default-security-policy
Open

SECURITY.md: remove outdated sections, explicitely state no CVE#38
aduh95 wants to merge 1 commit into
mainfrom
refactor-default-security-policy

Conversation

@aduh95

@aduh95 aduh95 commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

What triggered this change is a discussion between @RafaelGSS, @ShogunPanda, and myself regarding the vulnerabilities that were patched as part of the recent llhttp security release. We didn't asked CVEs for those, and looking at the history we never did request any CVE for llhttp but one time (CVE-2020-8287) – and even then, the CVE was for Node.js, not llhttp.
The takeaway was that we needed to document that we do not issue CVEs for llhttp.

This file is used on all of our repos that do not have their own SECURITY.md, including e.g. https://github.com/nodejs/llhttp/security#disclosure-policy (maybe try opening the link from a private window to see what an unpriviledged user sees).

Because that document was copied from the nodejs/node repo a few years back, I find it mostly off-topic: you thought you clicked on the security policy of llhttp, but it describes the one of Node.js, and does not even clarify that it doesn't apply to the current repo. So I took the opportunity to remove all the outdated and off-topic sections.

@aduh95

aduh95 commented Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

/cc @nodejs/tsc @nodejs/security

@UlisesGascon UlisesGascon left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the edition is not correct (removing additional content not intended?) 🤔

@aduh95

aduh95 commented Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

I think the edition is not correct (removing additional content not intended?) 🤔

From the ones I have removed, what section(s) you think we should keep?

@UlisesGascon

Copy link
Copy Markdown
Member

My fault! I was thinking that this SECURITY.md was the one that is included in node, undici, etc... but the repos have a dedicated file so the changes makes sense to me now 👍

@mcollina

mcollina commented Jul 1, 2026

Copy link
Copy Markdown
Member

We should issue CVEs for llhttp.

@aduh95

aduh95 commented Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

We should issue CVEs for llhttp.

Well we never did and don't have a process for it. If we want to start one, it should have its own SECURITY.md (and would no longer be affected by this change)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants