TC39 Vulnerability Disclosure Policy

Reporting Guidelines

• If a security issue is present in an implementation, then report it directly to the relevant project.
• If a security issue is present in a TC39 specification, let us know.
  • Include any relevant links to corroborative information, e.g. vulnerability reports, reference IDs, etc.
• If you are unable to determine whether a security issue is implementation-specific, let us know.

Reporting to TC39

Report using GitHub by visiting the security advisories page of the relevant repository, such as:

• ECMA-262: ECMAScript® Language Specification
• ECMA-402: ECMAScript® Internationalization API Specification
• If you are unable to determine the relevant repository, you can report here.

Alternately, send an email to security@tc39.es

Reporting to Projects

Note

This list is not exhaustive.

Engine/Runtime	Used In	Link to Report
JavaScriptCore	Safari, Bun	Report
SpiderMonkey	Firefox	Report
V8	Chrome, Chromium, Edge, Node, Deno	Report
Node		Report
Deno		Report
Bun		Report