Skip to content

Commit 8410a91

Browse files
mcollinalegendecas
andauthored
meta: clarify V8 flags are outside threat model
Signed-off-by: Matteo Collina <hello@matteocollina.com> Co-authored-by: Chengzhong Wu <legendecas@gmail.com> PR-URL: #64224 Reviewed-By: Paolo Insogna <paolo@cowtech.it> Reviewed-By: Filip Skokan <panva.ip@gmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Chengzhong Wu <legendecas@gmail.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
1 parent 8a35750 commit 8410a91

1 file changed

Lines changed: 14 additions & 5 deletions

File tree

SECURITY.md

Lines changed: 14 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -124,23 +124,32 @@ This policy recognizes that experimental platforms may not compile, may not
124124
pass the test suite, and do not have the same level of testing and support
125125
infrastructure as Tier 1 and Tier 2 platforms.
126126

127-
### Experimental features behind compile-time flags
127+
### Experimental features behind compile-time flags and V8 flags
128128

129129
Node.js includes certain experimental features that are only available when
130130
Node.js is compiled with specific flags. These features are intended for
131131
development, debugging, or testing purposes and are not enabled in official
132132
releases.
133133

134+
Node.js may also expose V8 features that are controlled by V8 command-line flags
135+
(e.g., `--js-staging`, `--max_old_space_size`). These flags
136+
enable or modify V8-level JavaScript engine behavior that is not part of the
137+
ECMAScript specification that Node.js implements and is not part of the
138+
Node.js documented API surface.
139+
134140
* Security vulnerabilities that only affect features behind compile-time flags
135-
will **not** be accepted as valid security issues.
141+
or V8 flags will **not** be accepted as valid security issues.
136142
* Any issues with these features will be treated as normal bugs.
137-
* No CVEs will be issued for issues that only affect compile-time flag features.
138-
* Bug bounty rewards are not available for compile-time flag feature issues.
143+
* No CVEs will be issued for issues that only affect compile-time flag or V8 flag features.
144+
* Bug bounty rewards are not available for compile-time flag or V8 flag feature issues.
139145

140146
This policy recognizes that experimental features behind compile-time flags
141147
are not ready for public consumption and may have incomplete implementations,
142148
missing security hardening, or other limitations that make them unsuitable
143-
for production use.
149+
for production use. Similarly, V8 flags expose internal V8 engine options that
150+
are not part of the Node.js documented API surface, are not enabled by
151+
default in production builds, and may have incomplete implementations or
152+
missing security hardening.
144153

145154
### What constitutes a vulnerability
146155

0 commit comments

Comments
 (0)