Currently, security advisories are inconsistently documented here and here (for older lb2 vuln.).
They are also not known to the Node.js Security WG.
This may obscure security advisories from the end-user as they may depend on the messages appearing on npm install or npm audit, or through third-party tools such as Snyk.
From the Security | Node.js page:
Security bugs in third party modules should be reported to their respective maintainers and should also be coordinated through the Node.js Ecosystem Security Team via HackerOne.
Suggestion
-
Consolidate security advisories
The lb2 security advisories should be consolidated to the main security advisory page.
-
Revise security policy
In the spirit of fostering a safe, FOSS ecosystem, the project should adopt the Node.js Security WG Responsible Disclosure Policy to leverage a trusted vulnerability-reporting platform and bug bounty program (Node.js HackerOne programme).
-
Re-disclose old vulnerabilities
Existing vulnerabilities should be re-disclosed to the Node.js Security WG via HackerOne
-
Add a Responsible Disclosure badge:

Existing Examples
Express (which was under IBM) adopts a variant of the policy. Though the Node.js Security WG encourages coordination via HackerOne.
Acceptance criteria
TBD - will be filled by the team.
Currently, security advisories are inconsistently documented here and here (for older lb2 vuln.).
They are also not known to the Node.js Security WG.
This may obscure security advisories from the end-user as they may depend on the messages appearing on
npm installornpm audit, or through third-party tools such as Snyk.From the Security | Node.js page:
Suggestion
Consolidate security advisories
The lb2 security advisories should be consolidated to the main security advisory page.
Revise security policy
In the spirit of fostering a safe, FOSS ecosystem, the project should adopt the Node.js Security WG Responsible Disclosure Policy to leverage a trusted vulnerability-reporting platform and bug bounty program (Node.js HackerOne programme).
Re-disclose old vulnerabilities
Existing vulnerabilities should be re-disclosed to the Node.js Security WG via HackerOne
Add a
Responsible Disclosurebadge:Existing Examples
Express (which was under IBM) adopts a variant of the policy. Though the Node.js Security WG encourages coordination via HackerOne.
Acceptance criteria
TBD - will be filled by the team.