The OpenJS Foundation's CVE Numbering Authority (CNA)
Security Policy
DRAFT Policy Version: 2025-05-28
OpenJS Foundation CNA
To help enable effective coordinated vulnerability disclosure, the OpenJS Foundation operates a CVE Numbering Authority (CNA) for its hosted Incubating, At Large, Impact, and Emeritus projects. Our CNA’s root is the Red Hat Open Source Root CNA.
You can learn more about us by visiting the OpenJS Security page and the CNA’s announcement blog posts.
OpenJS also provides Coordinated Vulnerability CVD program guidelines, templates, and direct operational support to project maintainers. This includes offering domain expertise to help maintainers build CVD-related policies and processes and, when requested, help facilitate and support the disclosure of vulnerabilities beyond CVE publication. As a CNA, hosted project maintainers are able to engage us to publish their CVEs, but are otherwise free to leverage us as best suits their individual needs.
The OpenJS Foundation does not provide a central technical security function and thus does not directly receive, triage, or remediate security vulnerabilities on behalf of its hosted projects.
OpenJS Project Maintainers
OpenJS project maintainers are responsible for independently operating their respective Vulnerability Disclosure Programs (VDP). This means each project has a unique Disclosure Policy with its own preferred vulnerability disclosure contact channels/platforms and program terms. Each project has its own methods for handling security vulnerabilities, including their own response and remediation timelines.
Disclosure Rules
- Do not share vulnerability data in public without first privately disclosing it to the project maintainer
- If unable to contact the project’s maintainer, please contact the OpenJS CNA at security@openjsf.org.
- Engage with project maintainers and the CNA professionally and in good faith.
- Adhere to the terms of hosted projects’ Vulnerability Disclosure Policies.
- Provide sufficient information about the security vulnerability to effectively triage and action your report.
Reporting a Vulnerability
Contact the project’s maintainer using their preferred contact channel
Please report security vulnerabilities to the project responsible for the source code where you believe the root cause of the vulnerability is found.
Each OpenJS project’s disclosure policy contains their preferred vulnerability disclosure contact channels and other project-specific terms. These policies are located in their respective Github projects, usually in security.md files. A list of all OpenJS project security policies can be found below.
Escalations
The OpenJS Foundation CNA is glad to work with security researchers and open source maintainers to ensure a professional and productive vulnerability disclosure process. Please contact us at security@openjsf.org for any of the following:
- If you are unable to find the private communications channel for a hosted project.
- If a hosted project does not respond to your initial report within 14 calendar days.
- If a hosted project refuses to publish a CVE for security vulnerability they have agreed to fix and requires users to install an update or take other action to mitigate or remediate.
- If you believe that a hosted project has erroneously rejected an exploitable security vulnerability.
CVE Publication Guidelines
The OpenJS Foundation CNA’s scope is limited to hosted projects found on our Project page. We do not publish CVEs related to security vulnerabilities for:
- Open source projects not hosted by the OpenJS Foundation
- Infrastructure of hosted projects
- Vulnerable dependencies used by a hosted project without evidence of exploitability
In Scope OpenJS Projects
List Updated 2025-05-28
Impact
At Large
- AMP
- Architect
- ESLint
- Esprima
- Fastify
- Globalize
- Grunt
- Interledger
- Intern
- NativeScript
- JerryScript
- Jest
- LoopBack
- Lodash
- Marko
- messageformat
- Mocha
- Moment
- Node-RED
- nvm
- QUnit
- WebdriverIO
- webhint