Node.js Security Bug Bounty Program Paused Due to Loss of Funding
nodejs.orgThat's pretty bad ... So many Fortune 500 companies using Node couldn't fork some spare change to keep themselves (and us) safe ...
It's not that they're out of funding per-se:
> The discovery landscape is changing. AI-assisted research is expanding vulnerability discovery across the ecosystem, increasing both coverage and speed. The balance between findings and remediation capacity in open source has substantively shifted. We have a responsibility to the community to ensure this program effectively accomplishes its ambitious dual purpose: discovery and remediation. Accordingly, we are pausing submissions while we consider the structure and incentives needed to further these goals.