doc: fix minor grammar and style issues in SECURITY.md

PR-URL: #53168 Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Marco Ippolito <[email protected]> Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Moshe Atlow <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Ulises Gascón <[email protected]>
nodejs · May 28, 2024 · a2446de · a2446de
1 parent 8c6d43c
commit a2446de
Showing 1 changed file with 21 additions and 22 deletions.
diff --git a/SECURITY.md b/SECURITY.md
@@ -4,7 +4,7 @@
 
 Report security bugs in Node.js via [HackerOne](https://hackerone.com/nodejs).
 
-Normally your report will be acknowledged within 5 days, and you'll receive
+Normally, your report will be acknowledged within 5 days, and you'll receive
 a more detailed response to your report within 10 days indicating the
 next steps in handling your submission. These timelines may extend when
 our triage volunteers are away on holiday, particularly at the end of the
@@ -21,9 +21,9 @@ The Node.js project engages in an official bug bounty program for security
 researchers and responsible public disclosures.  The program is managed through
 the HackerOne platform. See <https://hackerone.com/nodejs> for further details.
 
-## Reporting a bug in a third party module
+## Reporting a bug in a third-party module
 
-Security bugs in third party modules should be reported to their respective
+Security bugs in third-party modules should be reported to their respective
 maintainers.
 
 ## Disclosure policy
@@ -41,20 +41,19 @@ Here is the security disclosure policy for Node.js
 * A suggested embargo date for this vulnerability is chosen and a CVE (Common
   Vulnerabilities and Exposures (CVE®)) is requested for the vulnerability.
 
-* On the embargo date, the Node.js security mailing list is sent a copy of the
-  announcement. The changes are pushed to the public repository and new builds
-  are deployed to nodejs.org. Within 6 hours of the mailing list being
+* On the embargo date, a copy of the announcement is sent to the Node.js
+  security mailing list. The changes are pushed to the public repository and new
+  builds are deployed to nodejs.org. Within 6 hours of the mailing list being
   notified, a copy of the advisory will be published on the Node.js blog.
 
-* Typically the embargo date will be set 72 hours from the time the CVE is
+* Typically, the embargo date will be set 72 hours from the time the CVE is
   issued. However, this may vary depending on the severity of the bug or
   difficulty in applying a fix.
 
-* This process can take some time, especially when coordination is required
-  with maintainers of other projects. Every effort will be made to handle the
-  bug in as timely a manner as possible; however, it's important that we follow
-  the release process above to ensure that the disclosure is handled in a
-  consistent manner.
+* This process can take some time, especially when we need to coordinate with
+  maintainers of other projects. We will try to handle the bug as quickly as
+  possible; however, we must follow the release process above to ensure that we
+  handle disclosure consistently.
 
 ## The Node.js threat model
 
@@ -91,12 +90,12 @@ Vulnerabilities related to this case may be fixed by a documentation update.
 2. The data received from the remote end of outbound network connections
    that are created through the use of Node.js APIs and
    which is transformed/validated by Node.js before being passed
-   to the application EXCEPT in respect to payload length. Node.js trusts
+   to the application EXCEPT with respect to payload length. Node.js trusts
    that applications make connections/requests which will avoid payload
    sizes that will result in a Denial of Service.
    * HTTP APIs (all flavors) client APIs.
    * DNS APIs.
-3. Consumers of data protected through the use of Node.js APIs (for example
+3. Consumers of data protected through the use of Node.js APIs (for example,
    people who have access to data encrypted through the Node.js crypto APIs).
 4. The file content or other I/O that is opened for reading or writing by the
    use of Node.js APIs (ex: stdin, stdout, stderr).
@@ -107,13 +106,13 @@ a security vulnerability. Examples of unwanted actions are polluting globals,
 causing an unrecoverable crash, or any other unexpected side effects that can
 lead to a loss of confidentiality, integrity, or availability.
 
-**Node.js trusts everything else**. As some examples this includes:
+**Node.js trusts everything else**. Examples include:
 
 1. The developers and infrastructure that runs it.
 2. The operating system that Node.js is running under and its configuration,
    along with anything under control of the operating system.
-3. The code it is asked to run including JavaScript and native code, even if
-   said code is dynamically loaded, e.g. all dependencies installed from the
+3. The code it is asked to run, including JavaScript and native code, even if
+   said code is dynamically loaded, e.g., all dependencies installed from the
    npm registry.
    The code run inherits all the privileges of the execution user.
 4. Inputs provided to it by the code it is asked to run, as it is the
@@ -135,7 +134,7 @@ In addition to addressing vulnerabilities based on the above, the project works
 to avoid APIs and internal implementations that make it "easy" for application
 code to use the APIs incorrectly in a way that results in vulnerabilities within
 the application code itself. While we don’t consider those vulnerabilities in
-Node.js itself and will not necessarily issue a CVE we do want them to be
+Node.js itself and will not necessarily issue a CVE, we do want them to be
 reported privately to Node.js first.
 We often choose to work to improve our APIs based on those reports and issue
 fixes either in regular or security releases depending on how much of a risk to
@@ -173,13 +172,13 @@ the community they pose.
 
 #### Malicious Third-Party Modules (CWE-1357)
 
-* Code is trusted by Node.js, therefore any scenario that requires a malicious
+* Code is trusted by Node.js. Therefore any scenario that requires a malicious
   third-party module cannot result in a vulnerability in Node.js.
 
 #### Prototype Pollution Attacks (CWE-1321)
 
 * Node.js trusts the inputs provided to it by application code.
-  It is up to the application to sanitize appropriately, therefore any scenario
+  It is up to the application to sanitize appropriately. Therefore any scenario
   that requires control over user input is not considered a vulnerability.
 
 #### Uncontrolled Search Path Element (CWE-427)
@@ -205,8 +204,8 @@ the community they pose.
 
 * Corepack defaults to downloading the latest version of the software requested
   by the user, or a specific version requested by the user. For this reason,
-  Node.js releases won't be affected by such vulnerabilities, users are
-  responsible to keep the software they use through Corepack up-to-date.
+  Node.js releases won't be affected by such vulnerabilities. Users are
+  responsible for keeping the software they use through Corepack up-to-date.
 
 ## Assessing experimental features reports