Disclosure of a vulnerability in an open-source package

Snyk values the security community and believes that responsible disclosure of security vulnerabilities in open-source packages helps us ensure the security and privacy of our users. Snyk aims to provide a disclosure program for the security community by which you can report security issues found within managed open-source code.

The Snyk responsible disclosure program aims to protect both the maintainer and the reporting researcher, allowing maintainers and developers who use open-source code to safely benefit from the discovery of these vulnerabilities prior to public disclosure, and crediting those researchers for their dedication.

Snyk's vulnerability disclosure program

The primary steps of the Snyk vulnerability disclosure program are:

1. Any researcher or developer is invited to submit a report regarding an open-source security vulnerability with full details.

2. The Snyk Security team validates the claims in the report and the severity of the associated risks. See Triaging and validation for details.

3. Snyk contacts the owner or maintainer of the affected Project through multiple channels. See Notification of the package maintainer for details.

4. Snyk relays the vulnerability details, advises on potential fixes, and collaborates on a public disclosure timeline with the maintainer. See Fix assistance for details.

5. Snyk publicly discloses the vulnerability, giving full credit to the researcher. See Public disclosure for details.

6. Snyk, as an officially recognized CVE Central Naming Authority (CNA), assigns a CVE to the vulnerability.

Reporting vulnerabilities to Snyk

Vulnerability reports can be submitted by a researcher to report@snyk.io directly or by using the Snyk Vulnerability Disclosure form: https://snyk.io/vulnerability-disclosure/. A submitted vulnerability report should contain the following details at minimum:

• affected module

• relevant package manager and ecosystem

• vulnerability details

• steps to reproduce

Upon receipt of the report, Snyk validates and documents each reported vulnerability prior to notifying the maintainer.

Vulnerability disclosures sent to Snyk by email can also be encrypted using the following PGP key:

-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFmR918BEADrS77g30ejwt+ecbqJax4ZIBzQC6KSJxbuZ2slEDYdB2aDFj0G
bYhj685q7so6VXzko7weJKzfpbttaaFDPznx752T2nbPdh/ci0HFdbzPHvEBcmIK
aoJAWhiTICT7ys+sdzEXQbtGqsNltExD+ylqws6ovRf1wWA1oCLMLy2/wGl3n67p
jNW2ZkF/5Ke/GOfAM6CCdadUVHx+2d9dYhMrMuatBdhkOZMlOqAI1yvTXNAbE7mJ
mB5c4EfiC0ARiDl785yNgu8e+ONSZDqYaqiDKDen1JdUA0/qgU1E0cT/9rM96UhE
WkKlXMHwWLxA9CBU1dkFEukWwwaXDBpm0Zbx/1RaYc8M/s3yGH9TDbfMHSQ/qebK
oRXOCQjuXUU4JlnnFc9SPzquBdZSHBhF9mSEwR55CmQVZhxeyGJMfeZIbyD5u8dr
hfWQ9MiWY2qH5XUr++6PJJnGWlkYTxXJGgic/gTwstfIHGtizLN/SEZ0hmquX40t
mcqM1/P3PIMRYYx8lw0D+8w8Wm2QJyzIOnRlJhSEsBBl8FNvxIuaO7EjdABRZFba
rfah6bnUIKZeIUdLJuO0l2ki9eIKbP3ASI4mQ94HE0riIVtEhvCtqs/woiws55t0
0y/1QBHk1BlmOGYcHynG3GlxHcCSlWzazLiAGE2g+aF5ZhDfdWy3Row99QARAQAB
tCZTbnlrJ3MgRGlzY2xvc3VyZSBOZXcgPHJlcG9ydEBzbnlrLmlvPokCPQQTAQoA
JwUCWZH3XwIbAwUJB4YfgAULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRB9qLDN
W73LHgFCD/9iOZsBHjVPHGZ/audEe2IwEfCpRM+ZM3SAvmGB31A0Vg7X+g1a+ZcZ
3nOTXGBdKHk66xYJ0H0C0iLamziwJvJpgOQqhgSews4qaJyJMaTyZkuabdRiscks
Dp9AL1nsEAPrA0y9Ny3sjeUSCRL8/ZZ0Thy2TfPhMonuyLwkEpQQB+mup8qWHf4Q
jVQvtXab3BPCyl33Ci1fsYirfAnh2HKZzb83cUcexKU7YSFTeA8wcBr7HBo4mZeO
5IfmhuZRplb/1hkoSwWTLMggmjaY338R7m36xuSUF818TaReLcHtzZcl+Rwb36VJ
zSKiYx+S69llpVR5Wh3weTwligBfaH/3gE/lf790Gv0fIy9UblfAa2lODqdyAuwW
l79XsBBt399KNnfKcGtR/S0rKt4iU0DwZOGel239301DUmoPbCo4PLWuv2GRfXBk
NSoSlwJkIJcEhM7RBaZc76CNyioTU/W8oYOnhzrgbE3xqiS1+s//lh3H42FsvJnP
8Yc3UGv4LhEP/BN9h9w5mYkcvX6o8Blg8fMNRlU8UP3RWBLDrm6Epdvj73pP6ifR
iZof1wJeAbqXf5gKQjKX8jEqgquTSB2IJQPXtzNn2lpjMWMdmWUbWwVQ5i2/LrBt
dxgfuOpLAfJs/gjbhgJCaA8L7KCdCTyiZUrOke2N7XOR53ttRB7uwLkCDQRZkfdf
ARAA3iatkrY3yrgnbp59MMQyyHSG/kpyTUfBOqvnP9haBPh8iyMXqHnJoD2grCIg
9Z9glhIT5o1sl8OmjcWwtpSBYBs63bM84r0b+S+/RtyvHsaJoRxjiWe8wsVwC0Dd
cUWpvvVpLT1AKi0Mx0IuNt9cvaGQjhKje3sGZ76TqrTUes32ABOOR48iFNbYuLgS
UaUw/Sw4gv0okixl5EJRZKhYtjBEcQybxWk0In1FcuVaQrQrbSqMmXGgtaDWYJ+M
gCUw+n3QjGaDszFlDcDOoRTl+lMj8Zx5+c9jbji11o3eQ+mI/oy3lrx2gX7XdUW3
wCcQG3fdjfCtLnEyIUjtUJMDP3mwNmyyE65Rzb4rD7bQ4A9uG+UGW0LfBh+nqFS4
imHVIAuhETP++ITQ7AcLadVPRjlRSpFQ/X5PG8wXrbsGKfEiQYKcYnD78NZji8sD
Gnbazvf5DY8sM10bdM+7+m/eY7dtCGQhA8N/QlN5SBBhVTbIgZY6MTXs6RTupiF9
NJrKltWPDcVPISwXPi7n9T7GHFYiaQCo9zePAwGU8craJVvOpHwUFAQHjmxv5EV5
8mOXPFPjvdUfAMmn4ngPU1YccjiQVnsxfeVTSCzfblctkUZ8qnaifwiS7HaK3d9Z
SeT/5dPikCH/d1aZ6fYmh4+AwdBPM76SeeJUHdCd8NHEov0AEQEAAYkCJQQYAQoA
DwUCWZH3XwIbDAUJB4YfgAAKCRB9qLDNW73LHqdcD/936EqsLwZ5QIOozjubK0ma
/aNKRYImAM5C46YJZ+Fkl/Y42Qey3Tgrr7Su+sUKlJlgPWbDlA2fsoV9kjVmK98z
JvrWUovxFmR3c63m0zWFHaDKmpExzTmz4SCuxS+5BY8qh4BucF/JdFulUGwfoTax
PYPJi2OoEM3KE3DJoNIC7l6UeSyMWhnTrvDWESWJL1ES2fIAxpr68Wjpz4aPRLpP
GVqupAYhjSW3hdkkUmzspM+pNSyLguBD/on8qs2l7c/vXx3nWPGPfqFbcuxOwFND
ar3k4iIXKZ/O78o6p+kAjsmEMtPDkOe1GmUnyKEm1zH0/OXGd0q8s6R9FZ7KgVtc
Ad52OmkopgktPrEGokNU57uv8KXqSEcQMCdHFTly8MWuCBdgoAzRgXFnbrLSVNxU
UBW6rFlqh1+npFbVAoPmi8mbv4w8Af1bi1HGQexDUjpB80P84cgzOQwgjNARU0v/
3IO0ErkyoFwUnig+lpKRBYX6y7xZm/GJAdo/w5f3mqIlr5G0RMwVh5yi5F2/8Lpx
YFu06/0/Ssh/vsOp6PeAfWctzdVR69uZbXN/CkCXyVeKBy8lKc2jsYsJPTL8Hqlu
4tOgNB/sgzJ2IRaMZOA9WOjpUInH/iShW5Nj6uozCWc2GjHVc8NTJ6uVA2hMR36i
V7JD6Yv5YR5K0Wf9MsSHZA==
=6Uz+
-----END PGP PUBLIC KEY BLOCK-----

Triaging and validation

After validating a submitted vulnerability report, an analyst contacts the submitter, using the contact details attached to the report, to acknowledge receipt of the report and to discuss vulnerability details as well as the severity the analyst has assigned.

If the submitted vulnerability was already publicly disclosed and is missing from the Snyk vulnerability database, then, once validated by Snyk, this vulnerability will be added and published in the database.

Notification of the package maintainer

Upon successful validation of a submitted vulnerability, Snyk contacts the maintainer of the package to provide vulnerability details needed to begin any internal resolution process.

Snyk follows a 90-day responsible disclosure and fix timeline, allowing the maintainer of the affected package to ensure a fix is available prior to the vulnerability's being made public. An extension can be provided at the maintainer’s request, and depending on the severity of the disclosed vulnerability, Snyk is happy to wait for public disclosure until a patch is made available.

After 30 days

If the maintainer does not acknowledge or reply to the initial disclosure email within 30 business days of the original notification, Snyk retransmits the vulnerability details to the original point of contact of the affected package and at least one secondary contact if a secondary contact is publicly available.

After 40 days

If an additional ten business days elapse with no response from the maintainer after the second notification (a total of 40 business days), vulnerability details are re-sent not only to the previous two contacts, but also to customers and other affected stakeholders at the discretion of Snyk.

After 50 days

If the package maintainer does not respond to any of the three notification attempts within an additional ten business days following the third notification (50 business days after the original notification), or if the maintainer indicates they do not wish to coordinate disclosure, Snyk may elect to issue a public advisory with no further collaboration.

Acknowledging receipt

Maintainers should acknowledge receipt of the notification with the following details:

• Confirmation that the vulnerability information has been received

• The scheduled timeline for an investigation.

• A point of contact responsible for coordinating and tracking information on the issue from within their organization.

• An estimate of when they expect to complete their initial investigation of the security issue as provided in the notification.

Fix assistance

After the maintainer acknowledges receipt of the notification, Snyk works with the maintainer to determine how to handle the security issue within ten business days. The following tasks are included in this phase:

• Snyk is happy to provide additional information to assist the maintainer in the development of a solution.

• The maintainer and Snyk collaborate to time public disclosure and fix of the issue.

Public disclosure

As part of the public disclosure phase, Snyk:

• Assigns a Common Vulnerabilities and Exposures (CVE) ID for public tracking

• Adds the vulnerability to its public vulnerability database, providing information about the vulnerability and the related fix

Public disclosure may be initiated either by completing the fix assistance phase or through a process failure in prior phases.

During the public disclosure phase, Snyk, and preferably the maintainer, disseminate information about the vulnerability and the fix to the public. Snyk may disseminate information through public email lists, web pages, or any other medium it deems appropriate to reach the intended audiences.