meta: allow penetration testing on live system with prior authorization

Signed-off-by: Matteo Collina <hello@matteocollina.com> PR-URL: https://github.com/nodejs/node/pull/57966 Reviewed-By: Chengzhong Wu <legendecas@gmail.com> Reviewed-By: Paolo Insogna <paolo@cowtech.it> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Darshan Sen <raisinten@gmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Jordan Harband <ljharb@gmail.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Michael Dawson <midawson@redhat.com>
2025-04-23 17:42:25 +02:00 · 2025-04-23 17:42:25 +02:00 · bd3f27166b
commit bd3f27166b
parent 7bc37af0f7
1 changed files with 3 additions and 1 deletions
--- a/SECURITY.md
+++ b/SECURITY.md
@ -72,7 +72,9 @@ When reporting security vulnerabilities, reporters must adhere to the following

 3. **Responsible Testing**: When testing potential vulnerabilities:
   * Use isolated, controlled environments.
-   * Do not test on production systems.
+   * Do not test on production systems without prior authorization. Contact
+     the Node.js Technical Steering Committee (<tsc@iojs.org>) for permission or open
+     a HackerOne report.
   * Do not attempt to access or modify other users' data.
   * Immediately stop testing if unauthorized access is gained accidentally.