Node.js has paused its bug bounty program after funding ended, removing payouts for vulnerability reports but keeping its security process unchanged.

Socket

Node.js has paused its bug bounty program after the Internet Bug Bounty (IBB) initiative, which funded it since 2016, was discontinued. The IBB, backed by companies like Microsoft and Facebook, stopped accepting new submissions on March 27 due to funding issues and a surge in AI-assisted vulnerability research that overwhelmed remediation capacity. Security reporting through HackerOne continues, but researchers will no longer receive financial rewards. The move mirrors cURL's recent decision to drop its bounty program after being flooded with low-quality AI-generated reports. The shift raises broader concerns about how critical open source infrastructure funds security work, as Node.js now relies on voluntary, goodwill-driven disclosure at a time when supply chain attacks and automated vulnerability discovery are increasing.

Node.js Drops Bug Bounty Rewards After Funding Dries Up

Incentivized Reporting Moves to Voluntary Disclosure #

The Reality of Unfunded Critical Infrastructure #

<p>Ouch. This is crazy. I consider nodejs top tier, if they cannot, wow. I hope the best, I know I am using bun and there is deno too but this is like the mother of them children. :)</p>
