From bd3f27166b37cfde9349d31501cf0aa3401c7b61 Mon Sep 17 00:00:00 2001
From: Matteo Collina <hello@matteocollina.com>
Date: Wed, 23 Apr 2025 17:42:25 +0200
Subject: [PATCH] meta: allow penetration testing on live system with prior
 authorization

Signed-off-by: Matteo Collina <hello@matteocollina.com>
PR-URL: https://github.com/nodejs/node/pull/57966
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Jordan Harband <ljharb@gmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
---
 SECURITY.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/SECURITY.md b/SECURITY.md
index b932e83b29b..9650e812914 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -72,7 +72,9 @@ When reporting security vulnerabilities, reporters must adhere to the following
 
 3. **Responsible Testing**: When testing potential vulnerabilities:
    * Use isolated, controlled environments.
-   * Do not test on production systems.
+   * Do not test on production systems without prior authorization. Contact
+     the Node.js Technical Steering Committee (<tsc@iojs.org>) for permission or open
+     a HackerOne report.
    * Do not attempt to access or modify other users' data.
    * Immediately stop testing if unauthorized access is gained accidentally.