Skip to content

Security: ImBIOS/bun-node

SECURITY.md

🛡️ Security Policy

📝 Reporting a Vulnerability

To report a vulnerability, please privately report it via the Security tab on the correct GitHub repository (see documentation). If that is impossible, feel free to send an email to [email protected] (PGP encryption available) or [email protected] (unavailable PGP encryption) instead.

🔒 Pretty Good Privacy

🔑 PGP Fingerprint: C59D 18D3 068E 3D48 6C8D  52F2 E83A 7B4A 2C91 CD79
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGTSHksBEADQi+z43SkNMPCKsikazAVlBxdvNMl3bcxvZ+H4bDX9+0MEs+lK
NVqDoQ4azlVYSnTU8R2NY+8ccG4NfOuoVCvRBFwl0Vn9lm3oIAieWAuN1XEL1aOW
+G4FCvRoXUNoyc0NHu0pszLKUN9XjdCcXUr3o99bx49HgUe+W9rBxuQb9errsWp6
SS9Eit/SSNmjZMELcEAeOlHEJuKTJ20N9G4nYb76B8/hjEQmUdU+Iql53RxM71u2
AULFQuG2rICqa2C9pIQVKQBLSSfuxMCnJv/Rrv49EaooQFae35KwDv0Khl0VSxk4
xbd2bidtJDm8+gEv1mJj+KPEHfo8Fp4SQj71RZXFYEyqeLp4CteKAVvSYe0B8JOZ
F1OWVO0ZF+g7GwF5zLjdwUmQuultRAhpyLCI8QLrODOsUtF70BzUXzffXWPFKroP
3WZLZDS83i87vQ3pth7/LLgQsAtEhRRldd7VYkDQn3NgDrSfj4MRGuJ+h7X7QMwb
ubnnh037HGCyXLcrEUECHtfF7mYEgyp0IqLfseM7d7idhPZu/ZAq0kvyjcyleJob
/dTW/ZRiiGzFuQZL/r/pAdZ9Z2b0SozBETzXwKXTZvlwRDX1Gn1kh+ePqFyhd2rk
p3wPjdi8ep2FRkrHMM8rFkRjOtc0x9fuIITodwJMDli2mz8nOSUxdGaiFwARAQAB
tCtJbWFtdXp6YWtpIEFidSBTYWxhbSA8aW1hbXV6emFraUBnbWFpbC5jb20+iQJU
BBMBCAA+FiEExZ0Y0waOPUhsjVLy6Dp7SiyRzXkFAmTSHksCGwMFCQeGHzoFCwkI
BwIGFQoJCAsCBBYCAwECHgECF4AACgkQ6Dp7SiyRzXlERQ//acLPw6aMhyfmFV7Q
rycEQyc1b32IPWcEP/aspmEQVoqYKQhRgV/S17ziZPxGnbUAL4PWVVy4quUKA9Ed
RRgMVV56xvbvVRqMk37zpH1NqB6gOQP71AC8fRy19TkBGJp14PEfrEzuAFh9HN6b
Z+uoGmeVVYAkk6OicZXOuuJRZzESsOr8DWMcj2w9iuWXWbu1Rphgihux0qE22rID
VNrAAoaPha+7UmGDr1ZtQWcvtEUSjkmiqzN80mntzzqF2EgTnHNn3edeBc1TnDA4
unB+tK5ep+6ZoeFF5sW1rcVz+WPOQ+KDI3xASgOLUixGwqL6uBcHlzNk0LWmgNwp
cMUk6AwmOciF3qdSG+Q6WjAMPk1iamN3X6bu+9ANcXwzCVFwPwRGdqMtP6Htwwwt
1XEeZwmwfZ0JxkhOFUAGeuIJfunLUoJ4fh81PD6os/VAoB8+WBXrOAeIfRZG/O85
AjwZ/qSNYIQ/7pbAUNYQWyih4FiIbfri3TYpSLxSkSR9X02lmB1uiCkn+EB5GrWg
HUvtlJMdBEHbUSFtNm2bts2I72v5d09imPrK0RPijat1ZVLi3nu+ez86JQ83Vw+G
Z3E7hZ2XUS/TS0Rhwo+arV5YpPuvC5dTc2Bmv0AJPfAis3BdAkaa29eqyH+EOFZO
gTEo6hiwmEGkBxMtY1xLGIpFFHG5Ag0EZNIeSwEQAMRFPAyFBdwTtn9WmCfBq17y
3k1dgsD1RTRhPoLZ0hQefqbfIaTtR/p/I6+eJfYvfLt7E+SyckdHYbh2UFUyPvnz
QRAD1Xf3S77XfNoSJbmHwS547Fh9KRMQ4abGIwMxIy/TMcynO8VJQDXDbECWS4zg
r77aLsZGTzuzWYzUjxJKGLvdcqD3Mr+HeyhDRmyQGdPF2L1f5svOqjIp/oVuOqVj
Tzl/+uV/S62G2U15TFromMF1b/wv4iktAXBS3rba0jdyh54Rx270WZWAtpE7a9SE
/LToQi22i4PjWmRibCSyUTHlOruFCTtxNuLvoVdTTp2fDB8Xh4L//mmJ1rofhFbP
TlbhGcxazPy9V/RBZTHpfGir0bcy6T0UjFsWRD2grZaLQRm9tYjw4O2T5Sh7+Vn5
huUjo1oYbEIUJatTeogIAl14Is95bLpPk0prn04umQdJ6g2KV9U4dYa5o0Imhk3Q
6859hEvo+GfpSbeIAnjstkn3ewIvKzn/pPTsShdVEyWe5trEIfKsX8vd3U/faE99
RUmFmBV448/2QBGgCmFqTgMkrvwOSucCfKErTaDp8709WxZF54TEp8X3EKXeNSat
U7goZxbNsLh4plzK4ol1A55TfCVn5eHm+UgKOOahO7Yytxg59HOFT83fk/YbE90y
db2/GbgRkmaR6PnaQ051ABEBAAGJAjwEGAEIACYWIQTFnRjTBo49SGyNUvLoOntK
LJHNeQUCZNIeSwIbDAUJB4YfOgAKCRDoOntKLJHNeQxoD/wPvnC1OiRLrx2ozvCE
9CACx4yI70lAa3EJbDGLG5sy+YEL8ZdYcubGfyxpvn5ciqrPHLFyEAwYSVGaqqn7
06x9yYZ1wQcCN++n6CEP4BfCcAoeJA1FlUf9IWWYxnxRiUZeOR2mS/UZUqEjLdBi
ItgQsPE+VD7tV7JbVNu/rAcmqF1Ppf83Lgu/uscfisU60B3GkKlJpgN6IQdP+gJz
baZ7mIie4lCvPPzKag33lBT8VOzTmbEeSNC6k9eAl5XYJOr9uqe314ofCRiu5am/
HXEmTPXJEioxf3zVCKCBOrhPLAQrO9IFOaKWbHbemF/iquy3bxQZhMtGht1IAph7
NDD4cSzmGtLN4JuNiNC2eqqjlLT0l3Qmg2n4l2cRTynCW3yqNR3oEjK3B/ZLdNrV
D/eqCv4xexUVdyQPZvUF9u/0hwMHbGg0+0HtsPRQ54PRC5j3WNllLRHvmf27/gcy
z//6Xye7w74wS+SRzSkDBxKrJDmpxCZajzOp1MSvrA8mssK9kci6nYqzRli2AlJz
4lQiD/w4/cT1ZLTetbbqSm7y74sa6/OldHLM3JOvA7YDmiwzgQHZCBOJAMhDo1T1
+Hh7Zt+BEy8mz22SmZQG+sgLRALGs0y7+yZEhEPyEHyfd/chDkcr5OXwEwo6FqDc
RoBNJbQajOS7WbteuSUkSR2aJQ==
=m4hW
-----END PGP PUBLIC KEY BLOCK-----

You can expect a response within 48 hours if you are a human reporting a genuine issue.

If the reported system vulnerability is accepted, then there must be a reward, at least close to the level of benefit provided or potential problems from the vulnerability, and by considering the remaining available reward capability.

All security vulnerabilities will be promptly verified and addressed.

While the discovery of new vulnerabilities is rare, we also recommend always using the latest versions and other dependencies by maintaining lock files (e.g. yarn.lock, package-lock.json, pnpm-lock.yaml, bun.lockb, or requirements.txt) in order to ensure your application remains as secure as possible.

There aren’t any published security advisories