@@ -114,7 +114,8 @@ does not trust is considered a vulnerability:
114114 * The API doesn't have a warning against its usage in a production environment.
115115 * The API is public and documented.
116116 * The API is on stable (2.0) status.
117- * The memory leak is significant, causing a DoS fast or in a user-uncontrolled space (for instance, on HTTP parsing).
117+ * The memory leak is significant enough to cause a denial of service quickly
118+ or in a context not controlled by the user (for example, HTTP parsing).
118119 * The memory leak is directly exploitable by an untrusted source without requiring application mistakes.
119120 * The leak cannot be reasonably mitigated through standard operational practices (like process recycling).
120121 * The leak occurs deterministically under normal usage patterns rather than edge cases.
@@ -140,7 +141,7 @@ Vulnerabilities related to this case may be fixed by a documentation update.
140141* The data received from the remote end of outbound network connections
141142 that are created through the use of Node.js APIs and
142143 which is transformed/validated by Node.js before being passed
143- to the application EXCEPT with respect to payload length. Node.js trusts
144+ to the application ** except ** with respect to payload length. Node.js trusts
144145 that applications make connections/requests which will avoid payload
145146 sizes that will result in a Denial of Service.
146147 * HTTP APIs (all flavors) client APIs.
@@ -161,9 +162,9 @@ then untrusted input must not lead to arbitrary JavaScript code execution.
161162
162163** Node.js trusts everything else** . Examples include:
163164
164- * The developers and infrastructure that runs it.
165+ * The developers and infrastructure that run it.
165166* The operating system that Node.js is running under and its configuration,
166- along with anything under control of the operating system.
167+ along with anything under the control of the operating system.
167168* The code it is asked to run, including JavaScript, WASM and native code, even
168169 if said code is dynamically loaded, e.g., all dependencies installed from the
169170 npm registry.
@@ -199,12 +200,12 @@ the community they pose.
199200
200201* Node.js provides APIs to validate handling of Subject Alternative Names (SANs)
201202 in certificates used to connect to a TLS/SSL endpoint. If certificates can be
202- crafted which result in incorrect validation by the Node.js APIs that is
203+ crafted that result in incorrect validation by the Node.js APIs that is
203204 considered a vulnerability.
204205
205206#### Inconsistent Interpretation of HTTP Requests (CWE-444)
206207
207- * Node.js provides APIs to accept http connections. Those APIs parse the
208+ * Node.js provides APIs to accept HTTP connections. Those APIs parse the
208209 headers received for a connection and pass them on to the application.
209210 Bugs in parsing those headers which can result in request smuggling are
210211 considered vulnerabilities.
@@ -217,9 +218,9 @@ the community they pose.
217218
218219#### External Control of System or Configuration Setting (CWE-15)
219220
220- * If Node.js automatically loads a configuration file which is not documented
221+ * If Node.js automatically loads a configuration file that is not documented
221222 and modification of that configuration can affect the confidentiality of
222- data protected using the Node.js APIs this is considered a vulnerability.
223+ data protected using the Node.js APIs, then this is considered a vulnerability.
223224
224225### Examples of non-vulnerabilities
225226
@@ -242,7 +243,7 @@ the community they pose.
242243
243244#### External Control of System or Configuration Setting (CWE-15)
244245
245- * If Node.js automatically loads a configuration file which is documented
246+ * If Node.js automatically loads a configuration file that is documented,
246247 no scenario that requires modification of that configuration file is
247248 considered a vulnerability.
248249
@@ -262,9 +263,9 @@ the community they pose.
262263
263264## Assessing experimental features reports
264265
265- Experimental features are eligible to reports as any other stable feature of
266- Node.js. They will also be susceptible to receiving the same severity score
267- as any other stable feature.
266+ Experimental features are eligible for security reports just like any other
267+ stable feature of Node.js. They may also receive the same severity score that a
268+ stable feature would .
268269
269270## Receiving security updates
270271
0 commit comments