From 55e5378e6a99775b338dc9e4d4a55b356d9ee56b Mon Sep 17 00:00:00 2001 From: RafaelGSS Date: Mon, 30 Mar 2026 13:59:57 -0300 Subject: [PATCH 1/3] Blog: inform IBB program is paused --- .../discontinuing-security-bug-bounties.md | 57 +++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 apps/site/pages/en/blog/announcements/discontinuing-security-bug-bounties.md diff --git a/apps/site/pages/en/blog/announcements/discontinuing-security-bug-bounties.md b/apps/site/pages/en/blog/announcements/discontinuing-security-bug-bounties.md new file mode 100644 index 0000000000000..62b4591835ded --- /dev/null +++ b/apps/site/pages/en/blog/announcements/discontinuing-security-bug-bounties.md @@ -0,0 +1,57 @@ +--- +date: '2026-03-30T12:00:00.000Z' +category: announcements +title: Security Bug Bounty Program Paused Due to Loss of Funding +layout: blog-post +author: Rafael Gonzaga +--- + +The Node.js project's security bug bounty program is being paused due to the +discontinuation of its external funding source. + +## Background + +Since 2016, the Node.js project has participated in the +[Internet Bug Bounty (IBB)](https://www.hackerone.com/internet-bug-bounty) program +through HackerOne, offering monetary rewards to security researchers who responsibly +disclosed vulnerabilities in Node.js. The program was a meaningful part of our +security ecosystem, and we're grateful to the researchers who participated. + +## Why + +The Internet Bug Bounty (IBB) program, which supported bounty rewards for Node.js +through a pooled donation-funded initiative, has been paused. +You can read more about the pause [here](https://hackerone.com/ibb?type=team). +This decision was not made by the Node.js project. + +As a volunteer-driven open-source project, Node.js does not have an independent +budget to sustain a bounty program on its own. Without external support, we are +not able to offer monetary rewards for vulnerability reports at this time. + +## What This Means + +- **Security reporting remains unchanged.** We still accept and triage vulnerability + reports through [HackerOne](https://hackerone.com/nodejs). If you discover a + security issue, please continue to report it responsibly. +- **No monetary rewards.** Reports will no longer be eligible for bounty payouts. +- **Same commitment to security.** The Node.js Security Team continues to treat + security with the highest priority. Our disclosure policy, response times, and + release process remain the same. + +## A Thank You to Researchers + +We want to sincerely thank every researcher who has reported vulnerabilities through +the bounty program over the years. Your contributions have made Node.js safer for +millions of users. We hope you will continue to report security issues even without +financial incentives — responsible disclosure is critical to the health of the +open-source ecosystem. + +## Looking Ahead + +We will re-evaluate resuming the bounty program if dedicated funding becomes +available again. If your organization depends on Node.js and is interested in +sponsoring a bug bounty program, please reach out through the +[OpenJS Foundation](https://openjsf.org/). + +For questions or to report a vulnerability, see our +[security reporting page](/about/security-reporting). From 205402967f576b950fcde5932d6608d2cde103b8 Mon Sep 17 00:00:00 2001 From: Rafael Gonzaga Date: Wed, 1 Apr 2026 15:04:38 -0300 Subject: [PATCH 2/3] Update apps/site/pages/en/blog/announcements/discontinuing-security-bug-bounties.md Co-authored-by: Aviv Keller Signed-off-by: Rafael Gonzaga --- .../blog/announcements/discontinuing-security-bug-bounties.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/site/pages/en/blog/announcements/discontinuing-security-bug-bounties.md b/apps/site/pages/en/blog/announcements/discontinuing-security-bug-bounties.md index 62b4591835ded..cc84b1ff0fcad 100644 --- a/apps/site/pages/en/blog/announcements/discontinuing-security-bug-bounties.md +++ b/apps/site/pages/en/blog/announcements/discontinuing-security-bug-bounties.md @@ -1,5 +1,5 @@ --- -date: '2026-03-30T12:00:00.000Z' +date: '2026-04-02T12:00:00.000Z' category: announcements title: Security Bug Bounty Program Paused Due to Loss of Funding layout: blog-post From 0d8c03dd692ef126195bb74bcd6c1a2b48d28018 Mon Sep 17 00:00:00 2001 From: RafaelGSS Date: Thu, 2 Apr 2026 10:01:13 -0300 Subject: [PATCH 3/3] fixup! Blog: inform IBB program is paused --- .../blog/announcements/discontinuing-security-bug-bounties.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/site/pages/en/blog/announcements/discontinuing-security-bug-bounties.md b/apps/site/pages/en/blog/announcements/discontinuing-security-bug-bounties.md index cc84b1ff0fcad..72a82fe909d78 100644 --- a/apps/site/pages/en/blog/announcements/discontinuing-security-bug-bounties.md +++ b/apps/site/pages/en/blog/announcements/discontinuing-security-bug-bounties.md @@ -3,7 +3,7 @@ date: '2026-04-02T12:00:00.000Z' category: announcements title: Security Bug Bounty Program Paused Due to Loss of Funding layout: blog-post -author: Rafael Gonzaga +author: The Node.js Project --- The Node.js project's security bug bounty program is being paused due to the