eeymoo/nvm
1
0
Fork 0
mirror of https://github.com/nvm-sh/nvm.git synced 2026-02-04 17:02:48 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity
Files
b1dd81097f34d1827621e80a6c5c5a802ef6b1f2
nvm/.github/SECURITY.md
Ulises Gascón a36448ffcd [security] add security escalation policy
2025-09-15 14:33:37 +02:00

1.4 KiB
Raw Blame History

Security

Please file a private vulnerability report via GitHub, email @ljharb, or see https://tidelift.com/security if you have a potential security vulnerability to report.

Escalation

If you do not receive an acknowledgement of your report within 6 business days, or if you cannot find a private security contact for the project, you may escalate to the OpenJS Foundation CNA at security@lists.openjsf.org.

If the project acknowledges your report but does not provide any further response or engagement within 14 days, escalation is also appropriate.

OpenSSF CII Best Practices

CII Best Practices

There are three “tiers”: passing, silver, and gold.

Passing

We meet 100% of the “passing” criteria.

Silver

We meet 100% of the “silver” criteria.

Gold

We meet 78% of the “gold” criteria. The gaps are as follows:

  • because we only have one maintainer, the project has no way to continue if that maintainer stops being active.
  • We do not include a copyright or license statement in each source file. Efforts are underway to change this archaic practice into a suggestion instead of a hard requirement.

Threat Model

See THREAT_MODEL.md.

Incident Response Plan

Please see our Incident Response Plan.