maxfisher-g
commented
3 months ago Hi @ya3raj, please report this vulnerability to NPM, and contact the package author. If you believe the package is doing something malicious, you can use the "Report malware" button on the NPM page.
I'm not aware of any bug bounties for third party packages (i.e packages not published by OpenSSF or any of its constituents).
Hi there, How do i report a vulnerability to ossf, which i discovered in npm package. Could you please guide me if there is any Bug bounty program or so?