Skip to content

Commit 282c386

Browse files
committed
meta: v8 flags are outside the threat model
Signed-off-by: Matteo Collina <hello@matteocollina.com>
1 parent ea60060 commit 282c386

1 file changed

Lines changed: 19 additions & 0 deletions

File tree

SECURITY.md

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -142,6 +142,25 @@ are not ready for public consumption and may have incomplete implementations,
142142
missing security hardening, or other limitations that make them unsuitable
143143
for production use.
144144

145+
### V8 flags
146+
147+
Node.js may expose V8 features that are controlled by V8 command-line flags
148+
(e.g., `--harmony-optional-chaining`, `--max_old_space_size`). These flags
149+
enable or modify V8-level JavaScript engine behavior that is not part of the
150+
ECMAScript specification that Node.js implements and is not part of the
151+
Node.js documented API surface.
152+
153+
* Security vulnerabilities that can only be triggered via V8 flags
154+
will **not** be accepted as valid security issues.
155+
* Any issues with these features will be treated as normal bugs.
156+
* No CVEs will be issued for issues that only affect V8 flag features.
157+
* Bug bounty rewards are not available for V8 flag feature issues.
158+
159+
This policy recognizes that V8 flags expose internal V8 engine options that
160+
are not part of the Node.js documented API surface, are not enabled by
161+
default in production builds, and may have incomplete implementations or
162+
missing security hardening.
163+
145164
### What constitutes a vulnerability
146165

147166
Being able to cause the following through control of the elements that Node.js

0 commit comments

Comments
 (0)