The NodeSource Blog

You have reached the beginning of time!

All Posts

Node.js

Understanding Node.js’ New Signal Requirement for Security Reports

by:

Estefany AguilarEstefany Aguilar

in Node.js  on Feb 05 2026

Understanding Node.js’ New Signal Requirement for Security Reports

Node.js has updated its vulnerability reporting policy on HackerOne, introducing a minimum Signal requirement. This change aims to improve report quality, reduce operational noise, and better support the maintainers responsible for project security.

Below is an explanation of why this change happened, how it works, and what it means for the security community.

1. Why This Change? The Challenge of “Noise”

This decision addresses a critical operational need. While Node.js values open collaboration, the volume of low-quality security reports has increased drastically, driven largely by automated tools and generative AI.

The problem:
Between December and January, the project received over 30 vulnerability reports, compared to the usual average of 6 or 7 per month. Many of these submissions lacked technical merit or turned out to be false positives.

The cost:
AI has lowered the barrier to generating reports, but it has not reduced the human cost of triaging them. Every invalid report consumes valuable time—time that volunteer maintainers should be spending on identifying and fixing real security risks.

2. What Is “Signal” on HackerOne?

Signal is a reputation metric that reflects the historical validity of a researcher’s vulnerability reports.

How it works:
Signal is calculated as the average reputation per report. When a researcher submits valid, actionable findings, their Signal score increases. When reports are marked as spam or not applicable, the score decreases.

The new standard:
Node.js now requires a Signal score of 1.0 or higher. This acts as a statistical filter, prioritizing reports from researchers with a proven track record of accuracy and reducing low-signal submissions.

3. Does This Close the Door on New Researchers?

No. The goal is sustainability, not exclusion. Node.js has established a two-tiered approach to ensure new contributors can still participate responsibly:

  • Established researchers (Signal ≥ 1.0):
    Can continue submitting reports through HackerOne as usual.

  • New researchers or those without Signal:
    Can contact the security team directly through the OpenJS Foundation Slack to discuss potential vulnerabilities before filing a formal report.

This approach preserves an entry point for new contributors while protecting the main reporting workflow.

In Summary

This update represents a practical step toward maturing open source security processes. By filtering noise generated by large-scale automation, Node.js protects maintainers from burnout and ensures that critical vulnerabilities receive the focused, expert attention they deserve.

To read the original technical announcement, visit:
https://nodejs.org/en/blog/announcements/hackerone-signal-requirement

Featured Articles

Categories

The NodeSource platform offers a high-definition view of the performance, security and behavior of Node.js applications and functions.

Start for Free