This document describes the criteria for eligibility of monetary reward for security researchers who engage with the Node.js Ecosystem bug bounty program.
As long as budget is available for the Node.js third-party modules program on HackerOne we will provide the following rewards:
- Critical bugs: $500
- High bugs: $250
These are also documented publicly on the official program's website on HackerOne: https://hackerone.com/nodejs-ecosystem/.
Note that only a specific set of modules are eligible for rewards and they are documented in the list below as confirmed modules.
- Module download count - x >= 1000 downloads a month which accounts for 7% of npm packages (courtesy of @ChALkeR here nodejs#151 (comment))
- Approved Modules - A list of modules where their maintainers approved to be included in the bug bounty program
Work-in-progress to assess the following characteristics:
- Module dependents count - we don't have enough experience to gauge what this means
- Vulnerability type - Consider instead to have a criteria based on vulnerability severity rather than type, so to match anything >= 4.0 which means Medium and higher.
The following is a list of modules which are eligible in the monetary reward due to their maintainers explicitly confirming to collaborate with the working group and security researchers to receive and resolve security reports.
- lodash (confirmed approval from John-David Dalton)
- fastify (confirmed approval from Matteo Collina)
- pino (confirmed approval from Matteo Collina)
- MQTT.js (confirmed approval from Matteo Collina)
- yarn (confirmed approval from Maël Nison)
- jQuery
- node-red
- hapi (all packages under the GH org)
- Koajs (all packages under the GH org)
- Webpack
- ESLint
- socket.io