The maintainers of this project at Sterfive take security seriously and are committed to addressing potential security issues promptly and responsibly.

If you believe you have found a security vulnerability in any node-opcua repository, please report it to us as described below.

Only the latest release series will receive patches and new versions in case of a security issue.

We may consider patching or fixing prior versions of node-opcua only for users who are regular subscribers to the NodeOPCUA Support Membership program (https://support.sterfive.com).

If you discover a security vulnerability within node-opcua, we appreciate your efforts in responsibly disclosing it to us.

To ensure a smooth and effective resolution process, please follow these steps:

1. Confidential Reporting:

   Do not publicly disclose the vulnerability. Instead, send a detailed report to our security team at [email protected], including:

   • A clear description of the vulnerability.
   • Steps to reproduce the issue.
   • Any relevant code snippets or screenshots.
   • Your contact information (if you wish to be credited).

2. Acknowledgment:

   We will acknowledge receipt of your report usually within 24 hours and provide an estimated timeline for resolution.

Our security team will investigate the reported vulnerability to assess its impact and validity. We may contact you for additional information if necessary.

If the vulnerability is confirmed, we will prioritize developing a fix. The patch will be included in the next release of node-opcua. For critical vulnerabilities, we may issue an emergency release.

• Once the fix is released, we will notify you and credit you in the release notes, unless you prefer to remain anonymous.
• Members of the NodeOPCUA Support Program will be directly informed about the vulnerability and the steps taken to address it, 90 days before the official public announcement. This allows them to put in place a remediation plan.
• We will then publish a security advisory to inform the broader community about the vulnerability and the availability of the patch.

• We encourage coordinated disclosure, where the vulnerability details are made public only after a fix has been released and our customers (members of the NodeOPCUA Support Program) have been confidentially informed.
• This approach helps protect our committed users by giving them time to update to the patched version before the vulnerability is publicly known and also addresses the security issue for the broader community.

To receive all general updates to vulnerabilities, please subscribe to our Support Program at https://support.sterfive.com.

• For any security-related inquiries, please contact us at [email protected].

• For general inquiries or join the NodeOPCUA support programm, please contact us at [email protected]

By following this security policy, we aim to maintain a secure and reliable project for all users. Thank you for your cooperation and support.