I learned from others that https://github.com/nodejs/node/blob/main/SECURITY.md#the-nodejs-threat-model is not mentioned in https://hackerone.com/nodejs - maybe the threat model was developed after the HackerOne program (not sure about the timeline myself) but it seems important to me that we should add something like this at the beginning of the page (feel free to wordsmith it):

Before you submit a security issue, read about the Node.js threat model. We do not accept vulnerability reports that require compromising something that is already considered trusted (such as the operating system).

Yeah, it was developed after H1 program. I have just updated the page to link to the Node.js Threat Model (in case it updates over time).