Skip to content

Commit 8121e3f

Browse files
committed
meta: clarify --harmony features are outside threat model
Signed-off-by: Matteo Collina <hello@matteocollina.com>
1 parent ea60060 commit 8121e3f

1 file changed

Lines changed: 19 additions & 0 deletions

File tree

SECURITY.md

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -142,6 +142,25 @@ are not ready for public consumption and may have incomplete implementations,
142142
missing security hardening, or other limitations that make them unsuitable
143143
for production use.
144144

145+
### Experimental features behind `--harmony` flags
146+
147+
Node.js may expose V8 features that are controlled by `--harmony` flags
148+
(e.g., `--harmony-optional-chaining`, `--harmony-shadowrealm`). These flags
149+
enable V8-level JavaScript language features that are not part of the
150+
ECMAScript specification that Node.js implements and are not part of the
151+
Node.js documented API surface.
152+
153+
* Security vulnerabilities that can only be triggered via `--harmony` flags
154+
will **not** be accepted as valid security issues.
155+
* Any issues with these features will be treated as normal bugs.
156+
* No CVEs will be issued for issues that only affect `--harmony` flag features.
157+
* Bug bounty rewards are not available for `--harmony` flag feature issues.
158+
159+
This policy recognizes that `--harmony` flags expose experimental V8 features
160+
that are not part of the Node.js documented API surface, are not enabled by
161+
default in production builds, and may have incomplete implementations or
162+
missing security hardening.
163+
145164
### What constitutes a vulnerability
146165

147166
Being able to cause the following through control of the elements that Node.js

0 commit comments

Comments
 (0)