From bb922a234ec430e65da84c0b3aaffdc399830aa4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Mon, 15 Sep 2025 15:07:17 +0200 Subject: [PATCH] docs: add security escalation policy --- SECURITY.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index 816ac507b..eac86a2e5 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -3,3 +3,9 @@ ## Reporting a Vulnerability Please report any potential security issues to `team@nodered.org`. This will notify the core project team who will respond accordingly. + +## Escalation + +If you do not receive an acknowledgement of your report within 6 business days, or if you cannot find a private security contact for the project, you may escalate to the OpenJS Foundation CNA at `security@lists.openjsf.org`. + +If the project acknowledges your report but does not provide any further response or engagement within 14 days, escalation is also appropriate.