node-red/SECURITY.md

Security Policy

Reporting a Vulnerability

Please report any potential security issues to team@nodered.org. This will notify the core project team who will respond accordingly.

Escalation

If you do not receive an acknowledgement of your report within 6 business days, or if you cannot find a private security contact for the project, you may escalate to the OpenJS Foundation CNA at security@lists.openjsf.org.

If the project acknowledges your report but does not provide any further response or engagement within 14 days, escalation is also appropriate.