New HackerOne Signal Requirement for Vulnerability Reports

Source: Node.js Blog

UPDATE 2026‑02‑19: New researchers without Signal can no longer submit reports through HackerOne. If you are a new researcher and would like to report a potential vulnerability, please reach out to the Node.js security release stewards via the OpenJS Foundation Slack.

We have updated our HackerOne program to require a Signal score of 1.0 or higher to submit vulnerability reports to the Node.js project.

Why This Change

The Node.js security team has experienced a significant increase in low‑quality reports. Over the holidays the volume crossed a threshold we can handle: between December 15 and January 15 we received more than 30 reports. Triaging these consumes time and energy that could be spent on legitimate security work. By requiring a minimum Signal score, we ensure that reporters have a proven track record of submitting valid security reports, while still allowing newer researchers to participate with a limited number of submissions.

What This Means for You

• Researchers with Signal ≥ 1.0: You can continue reporting vulnerabilities through HackerOne as usual.
• Researchers below the threshold: You can still reach the security team through the OpenJS Foundation Slack. Contact us there to discuss potential vulnerabilities.

About HackerOne Signal

Signal is HackerOne’s reputation metric that reflects the quality of a researcher’s past submissions. A higher Signal indicates a history of valid, impactful reports. This requirement helps us prioritize reports from researchers with demonstrated expertise while reducing the burden of triaging invalid submissions.

We appreciate the security community’s understanding and continued collaboration in keeping Node.js secure.