Skip to content

docs: add YesWeHack policy #90

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

docs: add YesWeHack policy #90

wants to merge 2 commits into from

Conversation

UlisesGascon
Copy link
Member

@UlisesGascon UlisesGascon commented Jul 17, 2025
edited
Loading

The program is not yet public (login and team addition is required) https://yeswehack.com/business-units/sovereign-tech-fund/programs/express-js-bug-bounty-program

This will require the review from the @expressjs/security-triage and @expressjs/express-tc. Also we will need to wait for the feedback from STF and YesWeHack team (before merging) 👍

Related

@UlisesGascon UlisesGascon requested review from a team July 17, 2025 13:42
@UlisesGascon UlisesGascon self-assigned this Jul 17, 2025
@UlisesGascon UlisesGascon mentioned this pull request Jul 17, 2025
Open
bjohansebas
bjohansebas reviewed Jul 17, 2025
View reviewed changes
docs/bub_bounty_details.md
- The vulnerability must be previously undisclosed, both publicly and privately, and must not have been reported through any other channel ([security policy](https://github.com/expressjs/.github/blob/master/SECURITY.md)).
- The issue must meet the qualifying criteria defined in the program’s scope and threat model.
- The report must include a working reproducer (e.g., code, configuration, or sequence of steps) that demonstrates the issue clearly and reliably.
- You must not be a current [Express.js TC (Technical Committee) member](https://github.com/expressjs/express#tc-technical-committee) or an active contributor listed in the project governance documents ([reference](https://github.com/expressjs/discussions/blob/master/docs/contributing/captains_and_committers.md)).
Copy link
Member

@bjohansebas bjohansebas Jul 17, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the triage team would fall under this scope, right? Since the triage team is not explicitly mentioned in that document

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We also have the documentation triage team, this team falls under that scope

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bjohansebas bjohansebas bjohansebas left review comments

Assignees

@UlisesGascon UlisesGascon

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Time for a bounty program? Update Security Policies and Procedures
2 participants
@UlisesGascon @bjohansebas