- If a security issue is present in an implementation, then report it directly to the relevant project.
- If a security issue is present in a TC39 specification, let us know.
- Include any relevant links to corroborative information, e.g. vulnerability reports, reference IDs, etc.
- If you are unable to determine whether a security issue is implementation-specific, let us know.
Report using GitHub by visiting the security advisories page of the relevant repository, such as:
- ECMA-262: ECMAScript® Language Specification
- ECMA-402: ECMAScript® Internationalization API Specification
- If you are unable to determine the relevant repository, you can report here.
Alternately, send an email to security@tc39.es
Note
This list is not exhaustive.
| Engine/Runtime | Used In | Link to Report |
|---|---|---|
| JavaScriptCore | Safari, Bun | Report |
| SpiderMonkey | Firefox | Report |
| V8 | Chrome, Chromium, Edge, Node, Deno | Report |
| Node | Report | |
| Deno | Report | |
| Bun | Report |