Runtime Node is a security-critical project. The entire purpose of this image is to reduce attack surface — so security issues are taken seriously and handled with priority.
Runtime Node uses immutable version tags. Once a tag is published, it is never patched in place. Security fixes are always delivered as a new release with a new version tag.
| Version | Status |
|---|---|
Latest release (latest tag) |
✅ Supported |
| Previous releases |
If a security issue is found that affects the image, a new release will be published as soon as possible and the affected versions will be documented in the release notes.
Given the nature of this project, a security vulnerability is any issue that:
- Introduces a shell, package manager, or OS utility into the final image (breaking the distroless guarantee)
- Includes a library or binary with a known CVE in the final image
- Weakens file permissions in the final image (e.g. world-writable files outside of
/tmp) - Introduces an unpinned or floating base image that could silently change the image contents
- Compromises the integrity of the build pipeline or published image (e.g. supply chain attack)
- Exposes sensitive information in image labels, environment variables, or SBOM metadata
Issues with the user's own application running on top of Runtime Node are outside the scope of this policy.
Do not open a public GitHub Issue to report a security vulnerability.
Please use one of the following private channels:
GitHub Private Vulnerability Reporting (preferred) Use GitHub's built-in private reporting feature: Report a vulnerability
This keeps the disclosure confidential until a fix is published and allows coordinated disclosure.
Email If you prefer, send a detailed report to: runtimenodes@gmail.com
To help investigate and reproduce the issue as quickly as possible, please include:
- A clear description of the vulnerability and its potential impact
- The affected version tag(s) (e.g.
v2.2.0-25.8.0) - The affected registry or registries (Docker Hub, GHCR, or both)
- Steps to reproduce or a proof of concept
- Any relevant scan output (e.g. Trivy, Grype, Snyk results)
| Stage | Target |
|---|---|
| Acknowledgement | Within 48 hours |
| Initial assessment | Within 5 business days |
| Fix or mitigation published | Dependent on severity and complexity |
High-severity issues will be prioritised and addressed as quickly as possible.
Runtime Node follows coordinated disclosure. This means:
- Vulnerabilities are kept confidential until a fix is published.
- The reporter will be notified before public disclosure.
- Credit will be given to the reporter in the release notes unless they request otherwise.
The following are considered out of scope for this security policy:
- Vulnerabilities in the user's own application code running on top of this image
- Vulnerabilities in Node.js itself — please report those to the Node.js security team
- Vulnerabilities in GitHub Actions used in the CI/CD pipeline — please report those to the respective action maintainers