How Express.js Rebuilt Its Vulnerability Reporting Process - Expressjs

The Express.js project has completed a major milestone in its ongoing commitment to security: the implementation of a formal, centralized vulnerability reporting and response process.

Until recently, security reports were typically handled over email — an approach that worked in the early days but no longer scaled with the growing complexity and user base of Express. This informal system introduced potential delays, inconsistent handling, and increased the risk of issues being missed or misunderstood.

Thanks to support from the Sovereign Tech Fund, the Express.js Security Working Group has now completed a ground-up overhaul of how we manage vulnerability reports.

🛠️ Key Improvements

Formalized Vulnerability Reporting Workflow

A comprehensive runbook and process flow have been created to guide maintainers through each step of triaging, confirming, and addressing reported security issues.

Unified Security Policy Across Repositories

All Express.js repositories now share a single, unified SECURITY.md policy to ensure consistency and remove confusion for reporters and maintainers alike.

View the unified Security Policy

GitHub Security Advisories Enabled

Security Advisories are now enabled across all Express.js repositories, allowing for secure, private vulnerability reporting through GitHub’s built-in system.

How to report a security bug using GitHub Security Advisory

Clear Maintainer Responsibilities

Expectations around ownership and response timelines have been clarified and published to reduce ambiguity and improve responsiveness.

A Security triage team member or the repo captain will acknowledge your report as soon as possible.

After the initial reply to your report, the security team will endeavor to keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.

Security Policy

🛡️ Express is Now Covered Under the OpenJS Foundation CNA

As of June 2025, the OpenJS Foundation is officially a CVE Numbering Authority (CNA), empowered to assign CVE identifiers for security vulnerabilities across its hosted projects—including Express.

What this means for the community:

Security vulnerabilities in Express can now receive official CVE IDs through OpenJS, improving transparency and coordination.
The foundation provides support and tooling to streamline the vulnerability disclosure process, particularly for maintainers and security researchers.
For critical issues, the CNA helps ensure that disclosures follow best practices and are recorded in global vulnerability databases.

Please refer to Express’s Security Policy for the correct disclosure process. If needed, escalation routes through the OpenJS CNA are now available.

This advancement is part of a broader effort to strengthen the security of JavaScript’s open-source ecosystem—especially for widely used, community-driven projects like Express.

Learn more:

👀 Coming Soon: Bug Bounty Program in the Works

To further enhance the security of our ecosystem and encourage responsible vulnerability disclosure, the Express.js team has begun exploring participation in a community-focused bug bounty initiative—powered by the Sovereign Tech Resilience program.

This collaboration aims to:

Reward contributors for discovering and responsibly reporting security issues
Improve our ability to address vulnerabilities quickly and transparently
Strengthen long-term resilience for users and maintainers alike

Join the conversation and share your thoughts in expressjs/discussions#345 – Bug Bounty Proposal

Why This Matters

Security is a shared responsibility — and one that must evolve as the project grows. With these updates, Express.js has laid the foundation for a more reliable, scalable, and transparent vulnerability response system.

We’re grateful to the OpenJS Foundation and the Sovereign Tech Fund for their support and are excited to share this progress with the broader community.