From 12154c73eccd357ed9c03a8ed64f32816f8c1a6b Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Thu, 17 Jul 2025 15:38:51 +0200 Subject: [PATCH 01/10] docs: sync YesWeHack policy --- docs/bub_bounty_details.md | 105 +++++++++++++++++++++++++++++++++++++ 1 file changed, 105 insertions(+) create mode 100644 docs/bub_bounty_details.md diff --git a/docs/bub_bounty_details.md b/docs/bub_bounty_details.md new file mode 100644 index 0000000..cf0e588 --- /dev/null +++ b/docs/bub_bounty_details.md @@ -0,0 +1,105 @@ +# Bug Bounty Details + +> [!NOTE] +> This file is a version-controlled copy of the official policy on [YesWeHack](https://yeswehack.com/business-units/sovereign-tech-fund/programs/express-js-bug-bounty-program). +It is used internally to track changes and coordinate updates. +**Do not rely on this file as the source of truth when reporting vulnerabilities. Always refer to the official YesWeHack page to ensure you have the latest and most accurate information**. + +---- + + +### Bug bounty description + +| Scope Type | Scope | Asset value | +|----------|:-------------:|------:| +| Other | npm: express | high | +| Other | npm: body-parser | high | +| Other | npm: path-to-regexp | high | +| Other | npm: cookie | high | +| Other | npm: http-errors | high | +| Other | npm: on-finished | high | +| Other | npm: multer | high | + + +### Out-Of-Scope +- Anything related to https://express.com is out of scope. +- npm packages that are not explicitly listed in the scope of the program are not accepted. + + +## Qualifying Vulnerabilities +- Issues found in outdated or unsupported versions of our npm packages are not accepted. +- For examples and guidance, see: https://expressjs.com/en/advanced/security-updates.html + + +## Non-Qualifying Vulnerabilities + +- Anything not listed under Qualifying Vulnerabilities is not accepted by default and may only be considered at the discretion of the maintainers. +- Reports describing purely hypothetical vulnerabilities without a reproducible proof of concept. +- Proofs of concept that do not use publicly available or freely accessible software. +- Issues found in external dependencies, including cryptographic libraries. +- Issues discovered through oss-fuzz or other upstream CI systems. +- Reports generated solely by AI tools. +- Reports concerning vulnerabilities in example code included in the repositories. +- For reference examples, see: https://github.com/expressjs/security-wg/blob/main/docs/ThreatModel.md#examples-of-non-vulnerabilities + + +## Policy + +--- + +⚠️ **Your report must contain all the mandatory parts of the report submission template proposed on this program**⚠️ + +# Project + + +Express.js is a fast, unopinionated, minimalist web framework for Node.js. It provides a robust set of features for building web and mobile applications. Express handles routing, middleware, and HTTP utilities, serving as a foundational framework in the Node.js ecosystem. + +The scope of this program spans multiple npm packages maintained by the Express.js team across three GitHub organizations ([expressjs](https://github.com/expressjs), [pillarjs](https://github.com/pillarjs) and [jshttp](https://github.com/jshttp)). These repositories contain the core modules, middleware components, and foundational utilities that power the Express.js ecosystem. + +This bug bounty program is paid for by the [Sovereign Tech Resilience program](https://www.sovereigntechfund.de/programs/bug-resilience). + +## Scopes + +You can find our repositories on three different GitHub organizations ([expressjs](https://github.com/expressjs), [pillarjs](https://github.com/pillarjs) and [jshttp](https://github.com/jshttp)). + +You can find the packages in npm: [express](https://www.npmjs.com/package/express), [body-parser](https://www.npmjs.com/package/body-parser), [path-to-regexp](https://www.npmjs.com/package/path-to-regexp), [cookie](https://www.npmjs.com/package/cookie), [http-errors](https://www.npmjs.com/package/http-errors), [on-finished](https://www.npmjs.com/package/on-finished) and [multer](https://www.npmjs.com/package/multer) + +## Program Rules + +- We welcome external reviews by security researchers in order to identify bugs in our components. +- The scope of this program only applies to the software we build, not to our CI infrastructure or our git/website hosting, and any such attack is prohibited. +- Issues must be reproducible in our setup in order to be accepted as valid. +- We operate this bounty program on a "One Fix One Reward" basis. We consider an issue duplicated if it was previously reported through other channels, and also if it affects a common code module and it was already reported for a different component. +- The Express.js project includes a variety of tools and components, many of which are independent modules, and some of which are experimental. This bug bounty program covers only a specific subset of these components, which will be explicitly defined in the scope section. The list of included components may change over time as the project evolves. +- Express.js takes an unopinionated approach to application design and security configuration. Many features are optional and intentionally flexible to accommodate a wide range of use cases. For this reason, not all security-related behaviors are enforced by default. To better understand what constitutes a valid security vulnerability within our ecosystem, please refer to the [Express Threat Model](https://github.com/expressjs/security-wg/blob/main/docs/ThreatModel.md). This document outlines what Express considers in scope for security concerns and may be updated over time as the framework and its environment evolve. + +### Precautions + +- Do not include Personally Identifiable Information (PII) in your report and redact or obfuscate any PII that is part of your PoC (logs, screenshot, terminal captures, etc.). + +## Eligibility + +Every valid report that helps us improve the security of the project is welcome, however, in order to qualify for monetary rewards the following eligibility requirements must be met at a minimum: + +- The issue must originate from code published on npm, within a version of an npm package that falls under the scope of this program. +- The vulnerability must be previously undisclosed, both publicly and privately, and must not have been reported through any other channel ([security policy](https://github.com/expressjs/.github/blob/master/SECURITY.md)). +- The issue must meet the qualifying criteria defined in the program’s scope and threat model. +- The report must include a working reproducer (e.g., code, configuration, or sequence of steps) that demonstrates the issue clearly and reliably. +- You must not be a current [Express.js TC (Technical Committee) member](https://github.com/expressjs/express#tc-technical-committee) or an active contributor listed in the project governance documents ([reference](https://github.com/expressjs/discussions/blob/master/docs/contributing/captains_and_committers.md)). +- Severity is assessed based on the maximum impact demonstrated by your proof of concept (PoC), not on hypothetical impact. +- Only issues affecting released npm packages are eligible. Vulnerabilities found in unreleased code, git branches, or forks are not eligible for rewards. +- **Your report must contain all the mandatory parts of the report submission template proposed on this program** + + + +## Rating and Responsible Disclosure + +CVSS is used to rate and categorize vulnerabilities. Vulnerabilities will be publicly disclosed after sufficient time has passed and fixes have been backported where needed, if deemed necessary in coordination with other maintainers. + +Advisories will be published on the advisory page of our GitHub repository, and where deemed necessary as CVEs. + +We handle the full disclosure process and expect submitters not to disclose any findings themselves. If requested, we will fully credit the reporters in the advisories. + +The process for external reporting is described on GitHub + +--- \ No newline at end of file From 5f4c3b38406972c83195968830cad900866b2367 Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Thu, 17 Jul 2025 16:13:04 +0200 Subject: [PATCH 02/10] docs: include Bug Bounty and the Bounty Liaison role in the IRP --- docs/incident_response_plan.md | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/docs/incident_response_plan.md b/docs/incident_response_plan.md index 6556687..85cabcf 100644 --- a/docs/incident_response_plan.md +++ b/docs/incident_response_plan.md @@ -10,6 +10,16 @@ Security is a top priority for the Express project. This document outlines the * The Security Triage Team will use this document as a process guide when a security vulnerability is reported, from triage to resolution. This process must align with the project's [SECURITY policy](https://github.com/expressjs/.github/blob/master/SECURITY.md) and cannot diverge significantly. +This process applies to all security reports, whether submitted via public channels, private disclosures, or through formal bounty platforms such as YesWeHack. + + +## Bug Bounty Program + +The Express project participates in a paid bug bounty program funded by the [Sovereign Tech Resilience Program](https://www.sovereigntechfund.de/programs/bug-resilience) and hosted on YesWeHack. + +The goal of this program is to encourage responsible security research by providing financial rewards for qualifying vulnerability reports. Reports submitted through YesWeHack follow the same review and triage process as outlined in this Incident Response Plan. + +Program Link: [https://yeswehack.com/business-units/sovereign-tech-fund/programs/express-js-bug-bounty-program](https://yeswehack.com/business-units/sovereign-tech-fund/programs/express-js-bug-bounty-program) ## Security Report Handling Flowchart The following diagram details the **decision-making process** for handling security reports: @@ -97,6 +107,7 @@ This person acts as the focal point for a specific security report and ensures t - Oversee the advisory & CVE request process if applicable. - Escalate critical vulnerabilities when necessary. - Track all security reports for visibility and reporting. +- Handle communications and disputes on the YesWeHack platform (if needed) **Requirements** - Must be a member of the Security Triage Team. @@ -121,6 +132,21 @@ This person acts as the focal point for a specific security report and ensures t - Test the patch to ensure it works as expected. - Create a pull request to merge the patch into the project. +### Bounty Liaison + +This role is currently fulfilled by @wesleytodd and @UlisesGascon on behalf of the Express TC (Technical Committee). + +**Responsibilities** +- Serve as the primary contact between the Express project and the YesWeHack triage team. +- Coordinate with the Sovereign Tech Resilience program team on matters related to funding, compliance, and reporting. +- Ensure bounty payouts are issued promptly and accurately for validated and accepted reports. +- Facilitate internal discussions regarding reward tiers, scope changes, and platform feedback. +- Maintain and update the YesWeHack program scope, documentation, and communication policies as needed. + +**Requirements** +- Must be an active member of the Express Technical Committee (TC). + + ## Runbook The following sections outline the **step-by-step process**, explaining each decision, scenario, and possible actions. In this guide we also include links that are private (limited to the security triage team), a general overview of the process in flowchart format can be found [here](#security-report-handling-flowchart). @@ -186,3 +212,8 @@ Ideally, the report must contain **clear and detailed information** like (Affect 4.2 The Security Report Coordinator (SRC) will also help to publish a blog post about the vulnerability and the patch (if applicable, example [September 2024 Security Releases](https://expressjs.com/2024/09/29/security-releases.html)). 4.3 The TC team will do social media announcements about the vulnerability and the patch (if applicable, example [Tweet post](https://x.com/UseExpressJS/status/1772300472730198037)). + +4.4 For reports originated in YesWeHack, the Security Report Coordinator must ensure that: +- The advisory (if public) includes an optional credit line for the reporter, based on YesWeHack preferences. +- The reward is processed per the bounty terms. +- The report is marked as resolved and paid within the YesWeHack dashboard. \ No newline at end of file From 0e5ba2bf38178ef27350c4626d11c44f6c9971cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Thu, 7 Aug 2025 18:54:52 +0200 Subject: [PATCH 03/10] Update docs/bub_bounty_details.md --- docs/bub_bounty_details.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/bub_bounty_details.md b/docs/bub_bounty_details.md index cf0e588..b753fd7 100644 --- a/docs/bub_bounty_details.md +++ b/docs/bub_bounty_details.md @@ -85,7 +85,7 @@ Every valid report that helps us improve the security of the project is welcome, - The vulnerability must be previously undisclosed, both publicly and privately, and must not have been reported through any other channel ([security policy](https://github.com/expressjs/.github/blob/master/SECURITY.md)). - The issue must meet the qualifying criteria defined in the program’s scope and threat model. - The report must include a working reproducer (e.g., code, configuration, or sequence of steps) that demonstrates the issue clearly and reliably. -- You must not be a current [Express.js TC (Technical Committee) member](https://github.com/expressjs/express#tc-technical-committee) or an active contributor listed in the project governance documents ([reference](https://github.com/expressjs/discussions/blob/master/docs/contributing/captains_and_committers.md)). +- You must not be a current [Express.js TC (Technical Committee) member](https://github.com/expressjs/express#tc-technical-committee), an active contributor listed in the project governance documents ([reference](https://github.com/expressjs/discussions/blob/master/docs/contributing/captains_and_committers.md)), or affiliated with any team listed in the Security WG ([ref](https://github.com/expressjs/security-wg#members)). - Severity is assessed based on the maximum impact demonstrated by your proof of concept (PoC), not on hypothetical impact. - Only issues affecting released npm packages are eligible. Vulnerabilities found in unreleased code, git branches, or forks are not eligible for rewards. - **Your report must contain all the mandatory parts of the report submission template proposed on this program** From b1077408540d779d90527f20b06b06171de0a0e0 Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Tue, 12 Aug 2025 20:51:34 +0200 Subject: [PATCH 04/10] chore: rename file --- docs/{bub_bounty_details.md => bug_bounty_details.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename docs/{bub_bounty_details.md => bug_bounty_details.md} (100%) diff --git a/docs/bub_bounty_details.md b/docs/bug_bounty_details.md similarity index 100% rename from docs/bub_bounty_details.md rename to docs/bug_bounty_details.md From 2996feb9573a192144d8af47ceed20155f63e75f Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Tue, 12 Aug 2025 21:02:05 +0200 Subject: [PATCH 05/10] docs: exclude triage and documentation team --- docs/bug_bounty_details.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/bug_bounty_details.md b/docs/bug_bounty_details.md index b753fd7..a4205db 100644 --- a/docs/bug_bounty_details.md +++ b/docs/bug_bounty_details.md @@ -85,7 +85,7 @@ Every valid report that helps us improve the security of the project is welcome, - The vulnerability must be previously undisclosed, both publicly and privately, and must not have been reported through any other channel ([security policy](https://github.com/expressjs/.github/blob/master/SECURITY.md)). - The issue must meet the qualifying criteria defined in the program’s scope and threat model. - The report must include a working reproducer (e.g., code, configuration, or sequence of steps) that demonstrates the issue clearly and reliably. -- You must not be a current [Express.js TC (Technical Committee) member](https://github.com/expressjs/express#tc-technical-committee), an active contributor listed in the project governance documents ([reference](https://github.com/expressjs/discussions/blob/master/docs/contributing/captains_and_committers.md)), or affiliated with any team listed in the Security WG ([ref](https://github.com/expressjs/security-wg#members)). +- You must not be a current [Express.js TC (Technical Committee) member](https://github.com/expressjs/express#tc-technical-committee), an active contributor listed in the project governance documents ([reference](https://github.com/expressjs/discussions/blob/master/docs/contributing/captains_and_committers.md)) - excluded triage and documentation (website) teams, or affiliated with any team listed in the Security WG ([ref](https://github.com/expressjs/security-wg#members)). - Severity is assessed based on the maximum impact demonstrated by your proof of concept (PoC), not on hypothetical impact. - Only issues affecting released npm packages are eligible. Vulnerabilities found in unreleased code, git branches, or forks are not eligible for rewards. - **Your report must contain all the mandatory parts of the report submission template proposed on this program** From cb5c32fce6dbcdf4de29688a76a06996c0bc6573 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Mon, 18 Aug 2025 21:10:26 +0200 Subject: [PATCH 06/10] Update docs/bug_bounty_details.md Co-authored-by: Wes Todd --- docs/bug_bounty_details.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/bug_bounty_details.md b/docs/bug_bounty_details.md index a4205db..d2834f0 100644 --- a/docs/bug_bounty_details.md +++ b/docs/bug_bounty_details.md @@ -16,8 +16,6 @@ It is used internally to track changes and coordinate updates. | Other | npm: body-parser | high | | Other | npm: path-to-regexp | high | | Other | npm: cookie | high | -| Other | npm: http-errors | high | -| Other | npm: on-finished | high | | Other | npm: multer | high | From 1a09c914e0c9afa1a29abc0e0935d70bf6221f5f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Mon, 18 Aug 2025 21:14:10 +0200 Subject: [PATCH 07/10] Update docs/bug_bounty_details.md Co-authored-by: Jon Church --- docs/bug_bounty_details.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/bug_bounty_details.md b/docs/bug_bounty_details.md index d2834f0..6c4da61 100644 --- a/docs/bug_bounty_details.md +++ b/docs/bug_bounty_details.md @@ -20,7 +20,7 @@ It is used internally to track changes and coordinate updates. ### Out-Of-Scope -- Anything related to https://express.com is out of scope. +- Anything related to https://expressjs.com is out of scope. - npm packages that are not explicitly listed in the scope of the program are not accepted. From 0d3bfbf7073fe19a406def96eb4b12b9689e8d89 Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Fri, 26 Sep 2025 16:32:27 +0200 Subject: [PATCH 08/10] docs: improve scoping Ref: https://github.com/expressjs/security-wg/pull/90#discussion_r2283076130 --- docs/bug_bounty_details.md | 55 ++++++++++++++++++++++++++++++-------- 1 file changed, 44 insertions(+), 11 deletions(-) diff --git a/docs/bug_bounty_details.md b/docs/bug_bounty_details.md index 6c4da61..43d3807 100644 --- a/docs/bug_bounty_details.md +++ b/docs/bug_bounty_details.md @@ -25,20 +25,53 @@ It is used internally to track changes and coordinate updates. ## Qualifying Vulnerabilities -- Issues found in outdated or unsupported versions of our npm packages are not accepted. -- For examples and guidance, see: https://expressjs.com/en/advanced/security-updates.html - +To be considered in scope, a vulnerability must: + +- Affect a supported, released version of one of the npm packages listed in the program scope. +- Include a reproducible proof of concept (PoC) demonstrating a real security impact. +- Arise from Express or its scoped packages incorrectly handling **network data received from inbound requests or sent via outbound responses** through documented APIs. + +Examples of qualifying vulnerabilities include: + +- **Incorrect parsing or serialization of HTTP data** + - Request smuggling or splitting due to malformed headers (CWE-444). + - Path traversal or header injection caused by Express’s own parsing/normalization (CWE-22, CWE-74). +- **Bypass of documented security boundaries** + - Framework-level flaws in routing or middleware execution that allow authentication/session bypass even when middleware is used as documented (CWE-285). + - Failure to enforce cookie security attributes (`Secure`, `HttpOnly`, `SameSite`) where defaults or documented APIs promise them (CWE-522, CWE-565). +- **Information disclosure** + - Leaking request bodies, session identifiers, or stack traces through Express APIs in production defaults (CWE-200). + - Sending sensitive data in unintended headers or responses (CWE-201). +- **Cryptographic/session handling flaws** + - Insecure defaults in session or cookie handling provided by Express-maintained modules (CWE-311). + - Weak randomness in session IDs or tokens generated by Express-provided utilities (CWE-330). +- **Dependency misuse** + - Express using a dependency in an insecure way that leads to a vulnerability in scope (e.g. passing untrusted data unsafely). +- **Supply chain integrity issues** + - Compromised release artifacts or publish process for in-scope npm packages (CWE-829). ## Non-Qualifying Vulnerabilities -- Anything not listed under Qualifying Vulnerabilities is not accepted by default and may only be considered at the discretion of the maintainers. -- Reports describing purely hypothetical vulnerabilities without a reproducible proof of concept. -- Proofs of concept that do not use publicly available or freely accessible software. -- Issues found in external dependencies, including cryptographic libraries. -- Issues discovered through oss-fuzz or other upstream CI systems. -- Reports generated solely by AI tools. -- Reports concerning vulnerabilities in example code included in the repositories. -- For reference examples, see: https://github.com/expressjs/security-wg/blob/main/docs/ThreatModel.md#examples-of-non-vulnerabilities +The following are **out of scope** for this program, as they fall outside the Express threat model: + +- **Denial of Service via resource exhaustion** + - Crashes, hangs, or performance degradation caused by large payloads, unbounded JSON parsing, algorithmic complexity, or slowloris-style attacks. + - Express does not guarantee protection against all forms of DoS (CWE-400). +- **Issues in trusted dependencies or runtime** + - Vulnerabilities in Node.js itself or in third-party modules used by applications. + - Bugs in libraries Express depends on, unless Express demonstrably misuses them. +- **Application misconfiguration or trusted input** + - Insecure usage of `express.static()` (e.g., exposing sensitive files). + - Prototype pollution or similar attacks requiring control of inputs provided by application code (CWE-1321). +- **Environmental or system-level manipulation** + - Modifying environment variables (e.g., `NODE_ENV`) to alter behavior. + - File system access within the permissions of the running user. + - Attacks requiring a malicious operating system, runtime, or infrastructure. +- **Reports without demonstrable real-world impact** + - Hypothetical or “theoretical” issues without a working PoC. + - Findings based solely on AI-generated scans, fuzzers, or linters without manual validation. +- **Outdated or unsupported versions** + - Issues found in versions of our npm packages that are deprecated or no longer supported. ## Policy From dfbc926e4004946ad6a41f3f4cd1e979e654e388 Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Fri, 26 Sep 2025 16:36:49 +0200 Subject: [PATCH 09/10] docs: add `cors` and `iconv-lite` Ref: https://github.com/expressjs/security-wg/pull/90#discussion_r2283142210 --- docs/bug_bounty_details.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/bug_bounty_details.md b/docs/bug_bounty_details.md index 43d3807..220b41a 100644 --- a/docs/bug_bounty_details.md +++ b/docs/bug_bounty_details.md @@ -17,7 +17,8 @@ It is used internally to track changes and coordinate updates. | Other | npm: path-to-regexp | high | | Other | npm: cookie | high | | Other | npm: multer | high | - +| Other | npm: cors | high | +| Other | npm: iconv-lite | high | ### Out-Of-Scope - Anything related to https://expressjs.com is out of scope. From be6089deac62c987a44b046257f4fb2f27cc0632 Mon Sep 17 00:00:00 2001 From: Jon Church Date: Mon, 8 Dec 2025 14:16:45 -0500 Subject: [PATCH 10/10] replace sovereigntechfund.de url w/ sovereign.tech they changed their name and redir to the new domain --- docs/bug_bounty_details.md | 4 ++-- docs/incident_response_plan.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/bug_bounty_details.md b/docs/bug_bounty_details.md index 220b41a..66af0ed 100644 --- a/docs/bug_bounty_details.md +++ b/docs/bug_bounty_details.md @@ -88,7 +88,7 @@ Express.js is a fast, unopinionated, minimalist web framework for Node.js. It pr The scope of this program spans multiple npm packages maintained by the Express.js team across three GitHub organizations ([expressjs](https://github.com/expressjs), [pillarjs](https://github.com/pillarjs) and [jshttp](https://github.com/jshttp)). These repositories contain the core modules, middleware components, and foundational utilities that power the Express.js ecosystem. -This bug bounty program is paid for by the [Sovereign Tech Resilience program](https://www.sovereigntechfund.de/programs/bug-resilience). +This bug bounty program is paid for by the [Sovereign Tech Resilience program](https://www.sovereign.tech/programs/bug-resilience). ## Scopes @@ -134,4 +134,4 @@ We handle the full disclosure process and expect submitters not to disclose any The process for external reporting is described on GitHub ---- \ No newline at end of file +--- diff --git a/docs/incident_response_plan.md b/docs/incident_response_plan.md index 85cabcf..2abff9f 100644 --- a/docs/incident_response_plan.md +++ b/docs/incident_response_plan.md @@ -15,7 +15,7 @@ This process applies to all security reports, whether submitted via public chann ## Bug Bounty Program -The Express project participates in a paid bug bounty program funded by the [Sovereign Tech Resilience Program](https://www.sovereigntechfund.de/programs/bug-resilience) and hosted on YesWeHack. +The Express project participates in a paid bug bounty program funded by the [Sovereign Tech Resilience Program](https://www.sovereign.tech/programs/bug-resilience) and hosted on YesWeHack. The goal of this program is to encourage responsible security research by providing financial rewards for qualifying vulnerability reports. Reports submitted through YesWeHack follow the same review and triage process as outlined in this Incident Response Plan. @@ -216,4 +216,4 @@ Ideally, the report must contain **clear and detailed information** like (Affect 4.4 For reports originated in YesWeHack, the Security Report Coordinator must ensure that: - The advisory (if public) includes an optional credit line for the reporter, based on YesWeHack preferences. - The reward is processed per the bounty terms. -- The report is marked as resolved and paid within the YesWeHack dashboard. \ No newline at end of file +- The report is marked as resolved and paid within the YesWeHack dashboard.