Add March 2025 CI incident blog post (#7588)

mcollina · web-flow · commit 92a16a93d6ba · 2025-03-31T20:24:05.000-07:00
Signed-off-by: Matteo Collina &lt;hello@matteocollina.com&gt;
diff --git a/apps/site/pages/en/blog/vulnerability/march-2025-ci-incident.md b/apps/site/pages/en/blog/vulnerability/march-2025-ci-incident.md
@@ -0,0 +1,21 @@
+---
+date: '2025-03-31T16:30:00.617Z'
+category: vulnerability
+title: Node.js Test CI Security Incident
+layout: blog-post
+author: Node.js Technical Steering Committee
+---
+
+On March 21st, the Node.js project received a security report regarding our development infrastructure via [our bug bounty program](https://hackerone.com/nodejs). We immediately restricted access while implementing corrective actions.
+
+The reported issue did not impact the Node.js runtime and there is no risk to users of Node.js. No action by Node.js users is required.
+
+The development infrastructure is expected to be available to the community by April 15 or sooner.
+
+A full report of this incident will be available forthcoming. We appreciate the time investment from our amazing volunteers who assisted in this response.
+
+## Contact and future updates
+
+The current Node.js security policy can be found at [https://nodejs.org/security/](/security/). Please follow the process outlined in <https://github.com/nodejs/node/security/policy> if you wish to report a vulnerability in Node.js.
+
+Subscribe to the low-volume announcement-only nodejs-sec mailing list at <https://groups.google.com/forum/#!forum/nodejs-sec> to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization.
