From 0a5418088fb724c0ab4a958447e338ad13c6d2eb Mon Sep 17 00:00:00 2001 From: Matteo Collina Date: Sat, 20 Dec 2025 11:21:03 +0100 Subject: [PATCH] doc: exclude compile-time flag features from security policy MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add a new section to the security model clarifying that experimental features behind compile-time flags are not covered by the vulnerability reporting policy. These features are intended for development only and are not enabled in official releases. PR-URL: https://github.com/nodejs/node/pull/61109 Reviewed-By: Antoine du Hamel Reviewed-By: Ulises Gascón Reviewed-By: Rafael Gonzaga Reviewed-By: Luigi Pinca Reviewed-By: Marco Ippolito --- SECURITY.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index 087ea563c9..a641148bce 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -125,6 +125,26 @@ This policy recognizes that experimental platforms may not compile, may not pass the test suite, and do not have the same level of testing and support infrastructure as Tier 1 and Tier 2 platforms. +### Experimental features behind compile-time flags + +Node.js includes certain experimental features that are only available when +Node.js is compiled with specific flags. These features are intended for +development, debugging, or testing purposes and are not enabled in official +releases. + +* Security vulnerabilities that only affect features behind compile-time flags + will **not** be accepted as valid security issues. +* Any issues with these features will be treated as normal bugs. +* No CVEs will be issued for issues that only affect compile-time flag features. +* Bug bounty rewards are not available for compile-time flag feature issues. + +This policy recognizes that experimental features behind compile-time flags +are not ready for public consumption and may have incomplete implementations, +missing security hardening, or other limitations that make them unsuitable +for production use. + +### What constitutes a vulnerability + Being able to cause the following through control of the elements that Node.js does not trust is considered a vulnerability: