doc: clarify experimental platform vulnerability policy · nodejs/node@40b217a
@@ -102,6 +102,22 @@ vulnerability in the context of the Node.js threat model. In other
102102words, it cannot assume that a trusted element (such as the operating
103103system) has been compromised.
104104105+### Experimental platforms
106+107+Node.js maintains a tier-based support system for operating systems and
108+hardware combinations (Tier 1, Tier 2, and Experimental). For platforms
109+classified as "Experimental" in the [supported platforms](BUILDING.md#supported-platforms)
110+documentation:
111+112+* Security vulnerabilities that only affect experimental platforms will **not** be accepted as valid security issues.
113+* Any issues on experimental platforms will be treated as normal bugs.
114+* No CVEs will be issued for issues that only affect experimental platforms
115+* Bug bounty rewards are not available for experimental platform-specific issues
116+117+This policy recognizes that experimental platforms may not compile, may not
118+pass the test suite, and do not have the same level of testing and support
119+infrastructure as Tier 1 and Tier 2 platforms.
120+105121Being able to cause the following through control of the elements that Node.js
106122does not trust is considered a vulnerability:
107123