Skip to content

Commit 0854482

Browse files
mcollinarichardlau
authored andcommitted
doc: clarify defense-in-depth issues
Signed-off-by: Matteo Collina <hello@matteocollina.com> PR-URL: #64215 Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com> Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: René <contact.9a5d6388@renegade334.me.uk> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
1 parent fe0ea2b commit 0854482

1 file changed

Lines changed: 8 additions & 0 deletions

File tree

SECURITY.md

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -276,6 +276,14 @@ the community they pose.
276276

277277
### Examples of non-vulnerabilities
278278

279+
#### Defense-in-depth issues
280+
281+
* Bugs whose fixes would only improve resilience after another security
282+
boundary has already failed, or reduce the impact of an issue outside the
283+
Node.js threat model, are considered defense-in-depth issues.
284+
* Defense-in-depth issues are never treated as Node.js security vulnerabilities,
285+
do not receive CVEs, and are handled as regular bugs or hardening improvements.
286+
279287
#### Malicious Third-Party Modules (CWE-1357)
280288

281289
* Code is trusted by Node.js. Therefore any scenario that requires a malicious

0 commit comments

Comments
 (0)