meta: allow penetration testing on live system with prior authorization

Signed-off-by: Matteo Collina <[email protected]>
PR-URL: nodejs#57966
Reviewed-By: Chengzhong Wu <[email protected]>
Reviewed-By: Paolo Insogna <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Darshan Sen <[email protected]>
Reviewed-By: Marco Ippolito <[email protected]>
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Jordan Harband <[email protected]>
Reviewed-By: Antoine du Hamel <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>

Author: mcollina

SECURITY.md

@@ -72,7 +72,9 @@ When reporting security vulnerabilities, reporters must adhere to the following
 
 3. **Responsible Testing**: When testing potential vulnerabilities:
    * Use isolated, controlled environments.
-   * Do not test on production systems.
+   * Do not test on production systems without prior authorization. Contact
+     the Node.js Technical Steering Committee (<[email protected]>) for permission or open
+     a HackerOne report.
    * Do not attempt to access or modify other users' data.
    * Immediately stop testing if unauthorized access is gained accidentally.