npm Registry

Synopsis

The npm Registry includes subdomains under *.npmjs.com and *.npmjs.org. These are services related to serving npm packages to external users and other support for npm.

Focus areas

• Vulnerabilities that lead to account takeover
• Novel supply chain vulnerabilities
• Gaining access to private packages that should be inaccessible
• Disclosing the existence of private packages that should be inaccessible, e.g., through error messages (but not through timing attacks, which are ineligible, as described below)

Ineligible submissions

Vulnerabilities in packages that are hosted on the registry

npm users are responsible for the content hosted in their packages. Any vulnerabilities in user content do not affect the security of npm or its users. We recommend that you report these vulnerabilities directly to the owner of the package.

Malicious packages

npm users are responsible for vetting the content of packages that they choose to install. However, npm takes its responsibility as steward of the JavaScript ecosystem seriously; therefore, we actively scan for malware in the registry.

Infrastructure vulnerabilities

Infrastructure vulnerabilities such as an outdated version of Transport Layer Security (TLS) or a lack of rate limiting are considered out of scope for this bounty program unless you are able to prove privilege escalation or the ability to use it as part of a larger, more impactful attack.

Timing attacks that reveal a private package

Architectural nuances prevent us from systematically preventing timing attacks from determining whether a specific package exists. Therefore, timing attacks are considered ineligible.