From 0ce624e3b84722518a054c3b4e0509cadcdc701f Mon Sep 17 00:00:00 2001 From: Matteo Collina Date: Tue, 30 Jun 2026 12:19:39 +0200 Subject: [PATCH] doc: clarify defense-in-depth issues Signed-off-by: Matteo Collina --- SECURITY.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index e32ca8208adf87..4dde9920a4e161 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -276,6 +276,14 @@ the community they pose. ### Examples of non-vulnerabilities +#### Defense-in-depth issues + +* Bugs whose fixes would only improve resilience after another security + boundary has already failed, or reduce the impact of an issue outside the + Node.js threat model, are considered defense-in-depth issues. +* Defense-in-depth issues are never treated as Node.js security vulnerabilities, + do not receive CVEs, and are handled as regular bugs or hardening improvements. + #### Malicious Third-Party Modules (CWE-1357) * Code is trusted by Node.js. Therefore any scenario that requires a malicious