From e636642fdf462b8f33194ad24b13fb9149468a03 Mon Sep 17 00:00:00 2001
From: RafaelGSS <rafael.nunu@hotmail.com>
Date: Tue, 20 Jan 2026 14:52:34 -0300
Subject: [PATCH 1/4] Blog: add HackerOne signal 1 post

---
 .../hackerone-signal-requirement.md           | 36 +++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 apps/site/pages/en/blog/announcements/hackerone-signal-requirement.md

diff --git a/apps/site/pages/en/blog/announcements/hackerone-signal-requirement.md b/apps/site/pages/en/blog/announcements/hackerone-signal-requirement.md
new file mode 100644
index 0000000000000..4cbffe2f15902
--- /dev/null
+++ b/apps/site/pages/en/blog/announcements/hackerone-signal-requirement.md
@@ -0,0 +1,36 @@
+---
+date: 2026-01-20T12:00:00.000Z
+category: announcements
+title: New HackerOne Signal Requirement for Vulnerability Reports
+layout: blog-post
+author: The Node.js Project
+---
+
+We have updated our [HackerOne program](https://hackerone.com/nodejs) to require a **Signal of 1.0 or
+higher** to submit vulnerability reports to the Node.js project.
+
+## Why This Change
+
+The Node.js security team has experienced a significant increase in low-quality, AI-generated vulnerability
+reports. Triaging these reports consumes time and energy that could be spent on legitimate security work.
+We consider this volume of noise a denial-of-service against the project's security process.
+
+By requiring a minimum Signal score, we ensure that reporters have a proven track record of submitting
+valid security reports, while still allowing newer researchers to participate with a limited number of
+submissions.
+
+## What This Means for You
+
+- **Researchers with Signal >= 1.0**: You can continue reporting vulnerabilities through HackerOne as usual
+- **New researchers or those below the threshold**: You can still reach the security team through the
+  [OpenJS Foundation Slack](https://slack-invite.openjsf.org/). Contact us there to discuss potential
+  vulnerabilities
+
+## About HackerOne Signal
+
+Signal is HackerOne's reputation metric that reflects the quality of a researcher's past submissions.
+A higher Signal indicates a history of valid, impactful reports. This requirement helps us prioritize
+reports from researchers with demonstrated expertise while reducing the burden of triaging invalid
+submissions.
+
+We appreciate the security community's understanding and continued collaboration in keeping Node.js secure.

From d241fee2c4bf8484a728d0be01ac5c7f1dde3735 Mon Sep 17 00:00:00 2001
From: Rafael Gonzaga <rafael.nunu@hotmail.com>
Date: Tue, 20 Jan 2026 15:16:34 -0300
Subject: [PATCH 2/4] Apply suggestions from code review

Co-authored-by: Antoine du Hamel <duhamelantoine1995@gmail.com>
---
 .../en/blog/announcements/hackerone-signal-requirement.md   | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/apps/site/pages/en/blog/announcements/hackerone-signal-requirement.md b/apps/site/pages/en/blog/announcements/hackerone-signal-requirement.md
index 4cbffe2f15902..7825f6d87b139 100644
--- a/apps/site/pages/en/blog/announcements/hackerone-signal-requirement.md
+++ b/apps/site/pages/en/blog/announcements/hackerone-signal-requirement.md
@@ -21,16 +21,18 @@ submissions.
 
 ## What This Means for You
 
-- **Researchers with Signal >= 1.0**: You can continue reporting vulnerabilities through HackerOne as usual
+- **Researchers with [signal][Signal] >= 1.0**: You can continue reporting vulnerabilities through HackerOne as usual
 - **New researchers or those below the threshold**: You can still reach the security team through the
   [OpenJS Foundation Slack](https://slack-invite.openjsf.org/). Contact us there to discuss potential
   vulnerabilities
 
 ## About HackerOne Signal
 
-Signal is HackerOne's reputation metric that reflects the quality of a researcher's past submissions.
+[Signal][] is HackerOne's reputation metric that reflects the quality of a researcher's past submissions.
 A higher Signal indicates a history of valid, impactful reports. This requirement helps us prioritize
 reports from researchers with demonstrated expertise while reducing the burden of triaging invalid
 submissions.
 
 We appreciate the security community's understanding and continued collaboration in keeping Node.js secure.
+
+[Signal]: https://docs.hackerone.com/en/articles/8369891-signal-impact

From 932f44bc4dfd88502b512e8e00c14575dfee878e Mon Sep 17 00:00:00 2001
From: RafaelGSS <rafael.nunu@hotmail.com>
Date: Wed, 21 Jan 2026 11:05:11 -0300
Subject: [PATCH 3/4] fixup! Blog: add HackerOne signal 1 post

---
 .../announcements/hackerone-signal-requirement.md     | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/apps/site/pages/en/blog/announcements/hackerone-signal-requirement.md b/apps/site/pages/en/blog/announcements/hackerone-signal-requirement.md
index 7825f6d87b139..1dfbd1d181217 100644
--- a/apps/site/pages/en/blog/announcements/hackerone-signal-requirement.md
+++ b/apps/site/pages/en/blog/announcements/hackerone-signal-requirement.md
@@ -11,9 +11,10 @@ higher** to submit vulnerability reports to the Node.js project.
 
 ## Why This Change
 
-The Node.js security team has experienced a significant increase in low-quality, AI-generated vulnerability
-reports. Triaging these reports consumes time and energy that could be spent on legitimate security work.
-We consider this volume of noise a denial-of-service against the project's security process.
+The Node.js security team has experienced a significant increase in low-quality reports.
+This trend has been increasing over the years, and over the holidays it crossed the threshold
+that we can actually handle. Between December 15th and January 15th, we received over 30 reports.
+Triaging these reports consumes time and energy that could be spent on legitimate security work.
 
 By requiring a minimum Signal score, we ensure that reporters have a proven track record of submitting
 valid security reports, while still allowing newer researchers to participate with a limited number of
@@ -21,8 +22,8 @@ submissions.
 
 ## What This Means for You
 
-- **Researchers with [signal][Signal] >= 1.0**: You can continue reporting vulnerabilities through HackerOne as usual
-- **New researchers or those below the threshold**: You can still reach the security team through the
+- **New researchers or researchers with [signal][Signal] >= 1.0**: You can continue reporting vulnerabilities through HackerOne as usual
+- **Those below the threshold**: You can still reach the security team through the
   [OpenJS Foundation Slack](https://slack-invite.openjsf.org/). Contact us there to discuss potential
   vulnerabilities
 

From 68e6d6c265ab2f764b9c71d6bbcf4cbbc3863fe2 Mon Sep 17 00:00:00 2001
From: RafaelGSS <rafael.nunu@hotmail.com>
Date: Wed, 21 Jan 2026 11:06:09 -0300
Subject: [PATCH 4/4] fixup! fixup! Blog: add HackerOne signal 1 post

---
 .../pages/en/blog/announcements/hackerone-signal-requirement.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/site/pages/en/blog/announcements/hackerone-signal-requirement.md b/apps/site/pages/en/blog/announcements/hackerone-signal-requirement.md
index 1dfbd1d181217..34dd19dc1d551 100644
--- a/apps/site/pages/en/blog/announcements/hackerone-signal-requirement.md
+++ b/apps/site/pages/en/blog/announcements/hackerone-signal-requirement.md
@@ -1,5 +1,5 @@
 ---
-date: 2026-01-20T12:00:00.000Z
+date: 2026-01-21T12:00:00.000Z
 category: announcements
 title: New HackerOne Signal Requirement for Vulnerability Reports
 layout: blog-post