Node.js has implemented a new quality control measure on its HackerOne bug bounty program, requiring researchers to maintain a minimum Signal reputation score of 1.0 before submitting vulnerability reports.
This policy change, announced by the OpenJS Foundation, aims to reduce the growing volume of low-quality submissions that have overwhelmed the security team’s triage capacity.
The Change Explained
The updated program rules now mandate that security researchers demonstrate a proven track record of valid submissions before gaining direct reporting access.
HackerOne’s Signal metric serves as the key differentiator, measuring the historical quality and impact of a researcher’s past reports.
Researchers meeting or exceeding the 1.0 threshold retain unrestricted access to submit vulnerabilities through the standard HackerOne channel.
The Node.js security team documented a concerning trend of increasing invalid submissions that peaked during the holiday period.
Between December 15th and January 15th, the project received over 30 reports, creating a triage burden that diverted resources from legitimate security work.
“This trend has been increasing over the years, and over the holidays it crossed the threshold that we can actually handle,” the team stated.
The Signal requirement directly addresses this resource strain by prioritizing submissions from researchers with demonstrated expertise.
The policy creates a two-tiered system that balances quality control with accessibility. Established researchers maintaining a Signal score ≥1.0 experience no change to their reporting workflow.
Newcomers or researchers below the threshold can still participate through alternative channels, contacting the security team via the OpenJS Foundation Slack workspace to discuss potential vulnerabilities.
This approach preserves opportunities for emerging talent while protecting the project’s limited triage resources.
Node.js joins a growing number of open-source projects refining their vulnerability disclosure processes to manage scale.
The Signal metric, calculated based on report validity and severity historical performance, provides an objective filter that reduces subjective triage overhead.
By implementing this threshold, the project expects to improve signal-to-noise ratio in its security pipeline, enabling faster response times for critical vulnerabilities.
The OpenJS Foundation emphasized continued collaboration with the security community, framing the change as necessary operational hygiene rather than exclusion.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.