We work closely with open-source maintainers and affected projects to protect users and ensure a coordinated disclosure. When we identify a vulnerability, we responsibly disclose it to the publicly-listed security contact for the project if one exists, and to the maintainers directly otherwise.
If the project team responds and agrees the issue is a security risk, we work with them to walk through the vulnerability in detail and agree on a process for public disclosure. Responsibility for developing and releasing a patch lies with the project team. We aim to make that work easier by providing detailed technical information.
Our deadline for public disclosure is 90 days after our first responsible disclosure to the project team. When a vulnerability concerns a bypass of an existing fix, a 7-day deadline replaces the 90-day one. In open source the original patch and its commit history are publicly visible, so attackers can independently discover the bypass and exploit it in the wild. We and the project team can mutually agree to release details earlier than the deadline requires.
We appreciate the work maintainers put into fixing vulnerabilities and understand that some issues take more time. We are open to discussing the timeline when there is a good reason to extend it.
Sharing a disclosure policy with maintainers makes the rest of the conversation smoother, and we encourage every vulnerability reporter to publish one. If our policy is useful to you, feel free to copy it for your own disclosures.
Reach us at [email protected] with any questions about our policy or our security research.
Inspired by GitHub Security Lab's disclosure policy and Project Zero's disclosure policy.