Open
Conversation
bjohansebas
reviewed
Jul 17, 2025
bjohansebas
reviewed
Jul 29, 2025
UlisesGascon
commented
Aug 7, 2025
UlisesGascon
commented
Aug 7, 2025
krzysdz
reviewed
Aug 7, 2025
This was referenced Aug 7, 2025
jonchurch
requested changes
Aug 18, 2025
ctcpip
reviewed
Aug 18, 2025
jonchurch
reviewed
Aug 18, 2025
wesleytodd
approved these changes
Aug 18, 2025
Co-authored-by: Wes Todd <wes@wesleytodd.com>
Co-authored-by: Jon Church <me@jonchurch.com>
UlisesGascon
commented
Aug 18, 2025
|
|
||
| ### Bug bounty description | ||
|
|
||
| | Scope Type | Scope | Asset value | |
Member
Author
There was a problem hiding this comment.
Note for myself: Check that the npm versions are correctly deprecated and aligned with the LTS plan. Only express was verified
efekrskl
reviewed
Oct 21, 2025
efekrskl
reviewed
Oct 21, 2025
sheplu
requested changes
Nov 23, 2025
| - Oversee the advisory & CVE request process if applicable. | ||
| - Escalate critical vulnerabilities when necessary. | ||
| - Track all security reports for visibility and reporting. | ||
| - Handle communications and disputes on the YesWeHack platform (if needed) |
Member
There was a problem hiding this comment.
do we want to keep the (if needed) ? I guess we will always communicate there is an issue was reported on YWH?
they changed their name and redir to the new domain
jonchurch
approved these changes
Dec 8, 2025
Member
jonchurch
left a comment
jonchurch
left a comment
There was a problem hiding this comment.
pending the deprecation version check that @UlisesGascon left a todo about:
#90 (comment)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The program is not yet public (login and team addition is required) https://yeswehack.com/business-units/sovereign-tech-fund/programs/express-js-bug-bounty-program
This will require the review from the @expressjs/security-triage and @expressjs/express-tc. Also we will need to wait for the feedback from STF and YesWeHack team (before merging) 👍
Related