@@ -124,23 +124,32 @@ This policy recognizes that experimental platforms may not compile, may not
124124pass the test suite, and do not have the same level of testing and support
125125infrastructure as Tier 1 and Tier 2 platforms.
126126
127- ### Experimental features behind compile-time flags
127+ ### Experimental features behind compile-time flags and V8 flags
128128
129129Node.js includes certain experimental features that are only available when
130130Node.js is compiled with specific flags. These features are intended for
131131development, debugging, or testing purposes and are not enabled in official
132132releases.
133133
134+ Node.js may also expose V8 features that are controlled by V8 command-line flags
135+ (e.g., ` --js-staging ` , ` --max_old_space_size ` ). These flags
136+ enable or modify V8-level JavaScript engine behavior that is not part of the
137+ ECMAScript specification that Node.js implements and is not part of the
138+ Node.js documented API surface.
139+
134140* Security vulnerabilities that only affect features behind compile-time flags
135- will ** not** be accepted as valid security issues.
141+ or V8 flags will ** not** be accepted as valid security issues.
136142* Any issues with these features will be treated as normal bugs.
137- * No CVEs will be issued for issues that only affect compile-time flag features.
138- * Bug bounty rewards are not available for compile-time flag feature issues.
143+ * No CVEs will be issued for issues that only affect compile-time flag or V8 flag features.
144+ * Bug bounty rewards are not available for compile-time flag or V8 flag feature issues.
139145
140146This policy recognizes that experimental features behind compile-time flags
141147are not ready for public consumption and may have incomplete implementations,
142148missing security hardening, or other limitations that make them unsuitable
143- for production use.
149+ for production use. Similarly, V8 flags expose internal V8 engine options that
150+ are not part of the Node.js documented API surface, are not enabled by
151+ default in production builds, and may have incomplete implementations or
152+ missing security hardening.
144153
145154### What constitutes a vulnerability
146155
0 commit comments