Reporting npm Vulnerabilities + Getting Credit
Where to report package issues safely and how to build a public credit trail.
Where to report
If you find a vulnerability in an npm package, report it privately to the package maintainers using the project’s security policy (often a SECURITY.md file) or any private reporting channel they publish.
If you suspect active malware in a package on npmjs.com, report it to npm Security using the “Report malware” flow on the package page.
If the security issue is with npm itself (npmjs.com, registry behavior, account security), npm asks reporters to open a ticket via npm Support, which is escalated to their security point of contact.
Before you report
- Do not disclose exploit details publicly (issues/PRs/social) before maintainers acknowledge and a fix is available
- Prefer GitHub private vulnerability reporting when the repository enables it
- If you have a disclosure deadline, tell maintainers upfront so you can coordinate
What to include
Good reports reduce back-and-forth and help us reproduce quickly. Share as much as you can without putting real users at risk.
- A short summary and impact (what can an attacker do?)
- Affected area (URL/endpoint, component name, or repository + path)
- Reproduction steps and prerequisites (accounts, roles, config)
- Proof-of-concept (safe PoC or minimal exploit) and logs/screenshots
- Any mitigations/workarounds you found
- Your preferred attribution details (for credit), if you want public acknowledgement
Coordinated disclosure
We follow coordinated vulnerability disclosure: private report → validation → fix → publish (when remediation is available).
If you have a disclosure deadline (conference, blog post, or policy), include it in the first message so we can coordinate.
- Avoid public disclosure until we acknowledge receipt and a fix is ready
- Avoid accessing or modifying data you do not own
- Avoid service disruption (no DoS testing without coordination)
Getting credit
If you want credit, tell the maintainers exactly how you want to be acknowledged (name/handle/link). Credits are usually published in release notes, changelogs, or a security advisory.
If the project uses GitHub Security Advisories, GitHub supports attributing contributors in the advisory “Credits” section, and those credits can appear on your GitHub profile.
Public credits help build your researcher profile over time: they create a verifiable track record you can point to (GitHub profile, portfolio, and social links).
- Include the attribution string you want (e.g., “@handle” or “Name (Company)”)
- Include a link you want shown (GitHub, website, X, etc.)
- Tell us if you want to stay anonymous
References
These external resources describe common disclosure and credit practices used across the industry.
- npm: Reporting malware in an npm package
- npm: Security Policy (contact via npm Support)
- GitHub: About coordinated disclosure of security vulnerabilities
- GitHub: Adding a security policy (SECURITY.md)
- GitHub: Creating a repository security advisory (Credits)
- GitHub Blog: Giving credit for Security Advisories
- RFC 9116: security.txt