diff --git a/SECURITY.md b/SECURITY.md index e32ca8208adf87..ab5fc4a14732d9 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -142,6 +142,25 @@ are not ready for public consumption and may have incomplete implementations, missing security hardening, or other limitations that make them unsuitable for production use. +### V8 flags + +Node.js may expose V8 features that are controlled by V8 command-line flags +(e.g., `--harmony-optional-chaining`, `--max_old_space_size`). These flags +enable or modify V8-level JavaScript engine behavior that is not part of the +ECMAScript specification that Node.js implements and is not part of the +Node.js documented API surface. + +* Security vulnerabilities that can only be triggered via V8 flags + will **not** be accepted as valid security issues. +* Any issues with these features will be treated as normal bugs. +* No CVEs will be issued for issues that only affect V8 flag features. +* Bug bounty rewards are not available for V8 flag feature issues. + +This policy recognizes that V8 flags expose internal V8 engine options that +are not part of the Node.js documented API surface, are not enabled by +default in production builds, and may have incomplete implementations or +missing security hardening. + ### What constitutes a vulnerability Being able to cause the following through control of the elements that Node.js