Node.js has paused its bug bounty program after funding ended, removing payouts for vulnerability reports but keeping its security process unchanged.

Socket

Node.js has paused its bug bounty program after the Internet Bug Bounty (IBB) initiative, which funded it since 2016, was discontinued. The IBB, backed by companies like Microsoft and Facebook, stopped accepting new submissions on March 27 due to funding issues and a surge in AI-assisted vulnerability research that overwhelmed remediation capacity. Security reporting through HackerOne continues, but researchers will no longer receive financial rewards. The move mirrors cURL's recent decision to drop its bounty program after being flooded with low-quality AI-generated reports. The shift raises broader concerns about how critical open source infrastructure funds security work, as Node.js now relies on voluntary, goodwill-driven disclosure at a time when supply chain attacks and automated vulnerability discovery are increasing.

Node.js Drops Bug Bounty Rewards After Funding Dries Up

Incentivized Reporting Moves to Voluntary Disclosure #

The Reality of Unfunded Critical Infrastructure #

They think that people will work for free ?! All these bug bounty hunters have bills to pay to, one thing is to help with simple things because you have a good income from a lot of other bountys, but if people start to struggle to put food on the table while catching bugs and they try to explore even more just by not paying us at all, then nobody will help you in your greedy actions, I hope!

Ouch. This is crazy. I consider nodejs top tier, if they cannot, wow. I hope the best, I know I am using bun and there is deno too but this is like the mother of them children. :)

Bad news for people invested in resolving critical issues. To much money is invested in artificial intelligence and far less in the people. Question is what will happen if the ai can not resolve the issues which creative human can?