From e9b3bbd7a7bf6b5e655fc0be97d7f79d9e67dbb3 Mon Sep 17 00:00:00 2001 From: Sebastian Beltran Date: Wed, 28 May 2025 18:48:17 -0500 Subject: [PATCH 1/2] security: add section on pre-release versions and reporting vulnerabilities Signed-off-by: Sebastian Beltran --- SECURITY.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index 38b4775..c027a9a 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -56,6 +56,12 @@ The lead maintainer will acknowledge your email within 48 hours and provide an i If the security issue pertains to a third-party module that is not directly maintained within the Express ecosystem, please report it to the maintainers of that module. +## Pre-release Versions + +Alpha and Beta releases are unstable and **not suitable for production use**. +Vulnerabilities found in pre-releases should be reported according to the [Reporting a Bug](#reporting-a-bug-or-security-vulnerability) section. +Due to the unstable nature of the branch it is not guaranteed that any fixes will be released in the next pre-release. + ## Disclosure Policy When the security team receives a security bug report, they will assign it to a From e608b3be6aaa7632f6074b0421fad7aa0bc73ab3 Mon Sep 17 00:00:00 2001 From: Sebastian Beltran Date: Wed, 28 May 2025 21:03:37 -0500 Subject: [PATCH 2/2] update link Signed-off-by: Sebastian Beltran --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index c027a9a..5bc08fb 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -15,7 +15,7 @@ We appreciate your efforts in responsible disclosure and will make every effort to acknowledge your contributions. A [Security triage team member](https://github.com/expressjs/security-wg#security-triage-team) -or [the repo captain](https://github.com/expressjs/express/blob/master/Contributing.md#active-projects-and-captains) +or [the repo captain](https://github.com/expressjs/discussions/blob/HEAD/docs/contributing/captains_and_committers.md) will acknowledge your report as soon as possible. These timelines may extend when our triage volunteers are away on holiday, particularly at the end of the year.