From f8511e0b27cd42dfdc64ec631d33bcfd38261207 Mon Sep 17 00:00:00 2001 From: Rafael Gonzaga Date: Mon, 3 Apr 2023 06:28:10 -0300 Subject: [PATCH] doc: clarify reports are only evaluated on active versions PR-URL: https://github.com/nodejs/node/pull/47341 Reviewed-By: Richard Lau Reviewed-By: Beth Griggs Reviewed-By: James M Snell --- SECURITY.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index acf83434de4e79..02c9f83aa32c1a 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -31,11 +31,12 @@ maintainers. Here is the security disclosure policy for Node.js * The security report is received and is assigned a primary handler. This - person will coordinate the fix and release process. The problem is confirmed - and a list of all affected versions is determined. Code is audited to find - any potential similar problems. Fixes are prepared for all releases which are - still under maintenance. These fixes are not committed to the public - repository but rather held locally pending the announcement. + person will coordinate the fix and release process. The problem is validated + against all supported Node.js versions. Once confirmed, a list of all affected + versions is determined. Code is audited to find any potential similar + problems. Fixes are prepared for all supported releases. + These fixes are not committed to the public repository but rather held locally + pending the announcement. * A suggested embargo date for this vulnerability is chosen and a CVE (Common Vulnerabilities and Exposures (CVE®)) is requested for the vulnerability.