From c93fbf5e61066cac16ef088b7c39a32b80e034ff Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Fri, 13 Jun 2025 11:29:27 +0200 Subject: [PATCH] docs: use global Security policy We should inherit https://github.com/expressjs/.github/blob/master/SECURITY.md directly. --- SECURITY.md | 56 ----------------------------------------------------- 1 file changed, 56 deletions(-) delete mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md deleted file mode 100644 index ff106d62104..00000000000 --- a/SECURITY.md +++ /dev/null @@ -1,56 +0,0 @@ -# Security Policies and Procedures - -This document outlines security procedures and general policies for the Express -project. - - * [Reporting a Bug](#reporting-a-bug) - * [Disclosure Policy](#disclosure-policy) - * [Comments on this Policy](#comments-on-this-policy) - -## Reporting a Bug - -The Express team and community take all security bugs in Express seriously. -Thank you for improving the security of Express. We appreciate your efforts and -responsible disclosure and will make every effort to acknowledge your -contributions. - -Report security bugs by emailing `express-security@lists.openjsf.org`. - -To ensure the timely response to your report, please ensure that the entirety -of the report is contained within the email body and not solely behind a web -link or an attachment. - -The lead maintainer will acknowledge your email within 48 hours, and will send a -more detailed response within 48 hours indicating the next steps in handling -your report. After the initial reply to your report, the security team will -endeavor to keep you informed of the progress towards a fix and full -announcement, and may ask for additional information or guidance. - -Report security bugs in third-party modules to the person or team maintaining -the module. - -## Pre-release Versions - -Alpha and Beta releases are unstable and **not suitable for production use**. -Vulnerabilities found in pre-releases should be reported according to the [Reporting a Bug](#reporting-a-bug) section. -Due to the unstable nature of the branch it is not guaranteed that any fixes will be released in the next pre-release. - -## Disclosure Policy - -When the security team receives a security bug report, they will assign it to a -primary handler. This person will coordinate the fix and release process, -involving the following steps: - - * Confirm the problem and determine the affected versions. - * Audit code to find any potential similar problems. - * Prepare fixes for all releases still under maintenance. These fixes will be - released as fast as possible to npm. - -## The Express Threat Model - -We are currently working on a new version of the security model, the most updated version can be found [here](https://github.com/expressjs/security-wg/blob/main/docs/ThreatModel.md) - -## Comments on this Policy - -If you have suggestions on how this process could be improved please submit a -pull request.