Ulises Gascón

Ulises Gascón

Ulises Gascón is a Senior SWE at NodeSource. He is also a member of the Express Technical Committee (TC), a Node.js core collaborator and releaser, and a TC39 delegate. He has earned recognition as a Docker Captain, Microsoft Most Valuable Professional (MVP), and Google Developer Expert (GDE) for his noteworthy contributions to the Node.js community.
What is a Vulnerability and What’s Not? Making Sense of Node.js and Express Threat Models
Node Congress 2025Node Congress 2025
Upcoming
What is a Vulnerability and What’s Not? Making Sense of Node.js and Express Threat Models
Security isn’t just about fixing bugs; it’s about understanding the assumptions we make (and avoiding unnecessary panic). In this talk, we’ll dive into the Node.js and Express threat models, which I co-authored, to break down what they trust, what they don’t, and why that actually matters for developers and security researchers.We’ll take a look at real-world vulnerabilities that fit within these models, clear up some of the most common security misconceptions (because not everything is a critical meltdown), and explore how these security assumptions influence bug bounties, exploitability, and long-term fixes. By the end, attendees will walk away with a much better sense of what’s a real security risk, what isn’t, and how to build applications that won’t keep them up at night.