This could significantly impact security of large parts of web ecosystem.
Perhaps Node.js can switch to a VDP, no-bounty program. From Hacker One: "VDP is designed solely for receiving, validating, and addressing security reports without a paid bounty element"
They are using HackerOne, but not sure if VDP is part of the process.
> Security reporting remains unchanged. We still accept and triage vulnerability reports through HackerOne. If you discover a security issue, please continue to report it responsibly.
Perhaps Node.js can switch to a VDP, no-bounty program. From Hacker One: "VDP is designed solely for receiving, validating, and addressing security reports without a paid bounty element"