Let’s keep things simple –
If you think you have identified a security related issue with any hapi module or repository, please report it immediately to email@example.com. If you are not sure, don’t worry. Better safe than sorry – just send an email. Do not open issues related to any security concerns publicly. Please do not include anyone else on the disclosure email.
When reporting an issue, include as much information as possible, but no need to fill fancy forms or answer tedious questions. Just tell us what you found, how to reproduce it, and any concerns you have about it. We will respond as soon as possible and follow up with any missing information.
The hapi organization reports all identified security issues to the npm Security Team as soon as an issue has been confirmed and works closely to issue responsible disclosures. When issues are disclosed, the person or team responsible for the discovery receives full credit.
In general, public disclosure are made after the issue has been fully identified and a patch is ready to be released. Companies with an active commercial support plan receive advance notice of upcoming security disclosures and patches up to 72 hours prior to public disclosure.