I guess we can update the current document to:
@@ -1,5 +1,11 @@
> NOTE! Thanks for submitting a report! Please replace *all* the [square] sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report!
+> **IMPORTANT:** Before filing this security report, please ensure you have:
+> 1. Read [`SECURITY.md`](https://github.com/nodejs/node/blob/main/SECURITY.md), especially the threat model and vulnerability criteria
+> 2. Reviewed the relevant API documentation in [`doc/`](https://github.com/nodejs/node/tree/main/doc)
+> 3. Verified this behavior is not documented as expected, trusted, or outside the Node.js threat model
+> 4. If using automated tools, cited the exact documentation sections that support your assessment
+
**Summary:** [add summary of the vulnerability]
**Description:** [add more details about this vulnerability]
@@ -16,6 +22,16 @@
## Impact: [add why this issue matters]
+## Documentation Review:
+
+Please confirm you have reviewed the following and explain how this behavior conflicts with documented guarantees:
+
+ * [ ] Relevant API documentation in [`doc/`](https://github.com/nodejs/node/tree/main/doc)
+ * [ ] [`SECURITY.md`](https://github.com/nodejs/node/blob/main/SECURITY.md) threat model
+ * [ ] Common false positives: [`permissions.md`](https://github.com/nodejs/node/blob/main/doc/api/permissions.md), [`wasi.md`](https://github.com/nodejs/node/blob/main/doc/api/wasi.md), [`cli.md`](https://github.com/nodejs/node/blob/main/doc/api/cli.md#warning-binding-inspector-to-a-public-ipport-combination-is-insecure)
+
+[Cite the exact document sections that support your assessment and explain why this behavior is a vulnerability despite the documentation]
+
## Supporting Material/References:
* List any additional material (e.g. screenshots, logs, references, commits, code examples, etc.).
Originally posted by @RafaelGSS in nodejs/node#63038 (comment)
I guess we can update the current document to:
Originally posted by @RafaelGSS in nodejs/node#63038 (comment)