Disclosure of a vulnerability in an open-source package

Snyk values the security community and believes that responsible disclosure of security vulnerabilities in open-source packages helps us ensure the security and privacy of our users. Snyk aims to provide a disclosure program for the security community by which you can report security issues found within managed open-source code.

The Snyk responsible disclosure program aims to protect both the maintainer and the reporting researcher, allowing maintainers and developers who use open-source code to safely benefit from the discovery of these vulnerabilities prior to public disclosure, and crediting those researchers for their dedication.

Snyk's vulnerability disclosure program

The primary steps of the Snyk vulnerability disclosure program are:

1. Any researcher or developer is invited to submit a report regarding an open-source security vulnerability with full details.

2. The Snyk Security team validates the claims in the report and the severity of the associated risks. See Triaging and validation for details.

3. Snyk contacts the owner or maintainer of the affected Project through multiple channels. See Notification of the package maintainer for details.

4. Snyk relays the vulnerability details, advises on potential fixes, and collaborates on a public disclosure timeline with the maintainer. See Fix assistance for details.

5. Snyk publicly discloses the vulnerability, giving full credit to the researcher. See Public disclosure for details.

6. Snyk, as an officially recognized CVE Central Naming Authority (CNA), assigns a CVE to the vulnerability.

Reporting vulnerabilities to Snyk

Vulnerability reports can be submitted by a researcher to report@snyk.io directly or by using the Snyk Vulnerability Disclosure form: https://snyk.io/vulnerability-disclosure/. A submitted vulnerability report should contain the following details at minimum:

• affected module

• relevant package manager and ecosystem

• vulnerability details

• steps to reproduce

Upon receipt of the report, Snyk validates and documents each reported vulnerability prior to notifying the maintainer.

Vulnerability disclosures sent to Snyk by email can also be encrypted using the following PGP key:

-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFmR918BEADrS77g30ejwt+ecbqJax4ZIBzQC6KSJxbuZ2slEDYdB2aDFj0G
bYhj685q7so6VXzko7weJKzfpbttaaFDPznx752T2nbPdh/ci0HFdbzPHvEBcmIK
aoJAWhiTICT7ys+sdzEXQbtGqsNltExD+ylqws6ovRf1wWA1oCLMLy2/wGl3n67p
jNW2ZkF/5Ke/GOfAM6CCdadUVHx+2d9dYhMrMuatBdhkOZMlOqAI1yvTXNAbE7mJ
mB5c4EfiC0ARiDl785yNgu8e+ONSZDqYaqiDKDen1JdUA0/qgU1E0cT/9rM96UhE
WkKlXMHwWLxA9CBU1dkFEukWwwaXDBpm0Zbx/1RaYc8M/s3yGH9TDbfMHSQ/qebK
oRXOCQjuXUU4JlnnFc9SPzquBdZSHBhF9mSEwR55CmQVZhxeyGJMfeZIbyD5u8dr
hfWQ9MiWY2qH5XUr++6PJJnGWlkYTxXJGgic/gTwstfIHGtizLN/SEZ0hmquX40t
mcqM1/P3PIMRYYx8lw0D+8w8Wm2QJyzIOnRlJhSEsBBl8FNvxIuaO7EjdABRZFba
rfah6bnUIKZeIUdLJuO0l2ki9eIKbP3ASI4mQ94HE0riIVtEhvCtqs/woiws55t0
0y/1QBHk1BlmOGYcHynG3GlxHcCSlWzazLiAGE2g+aF5ZhDfdWy3Row99QARAQAB
tCZTbnlrJ3MgRGlzY2xvc3VyZSBOZXcgPHJlcG9ydEBzbnlrLmlvPokCVAQTAQoA
PgIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgBYhBKp3WNE4NW56Qbhnk32osM1b
vcseBQJmM6b+BQkQbVEQAAoJEH2osM1bvcsez5gQAKShZlSlkcaYX10erMt7w24x
Ll7kARMjPfLyeoJXytxn52d0139kh++xDz3EhxfAIaRWqKivzYRDx28STmZMInGQ
23D54MMO63dtWQBmyAXem0DJIMT5uEYQI++3ovVSxE+EiUUjfUjxfs5uYd3p2kJZ
o49YBmr51QCyPzvHnSNRXl3sEvDQ/U2SKYNE9dM4h1+ZLgAylLx6tF2SmHmC15Zy
ACbD9WjKDb/O++WDfqUdvZ3moMCjwx/KUpC9EbH2ppnr3ludQ+gttqA5XQ/qxExn
YL+ipyic1U+p3LwG8PBjpsxRBKMtIvhXd1A17opjKnvSyRV7NOiSm794pMt7+YNY
xoJQRmsE5RJFDoyvFU76NxLTZkhdVcBVoFLepQBPoW6KiR1xpe2q2mJ/C/ndf3G6
NAEAm0ic9yrvMwAzW1aYN+uERLgrLJXRHERJddBcShaqcaqmaRZhhVAdsLox87+J
4yiSS3Si5YFmXxTHq2mfQM/f1jmDfvbAsOX9ZNwsYUh5KVFMkLPr+wx8nBYH0+lD
XYYOrbEmjd+oLWaomDD8Nb+Ft49/juSVw1ygqwXMQWw/iGHuKnS1up+88XGKymMF
YW+h3G77EtRr1zgIZC05rvDSyUGnEijuKu5FJesxJsxSkYbq0pbtE6nPAHpZ9yDs
contOfKtJKYwZq9n8KySuQINBFmR918BEADeJq2StjfKuCdunn0wxDLIdIb+SnJN
R8E6q+c/2FoE+HyLIxeoecmgPaCsIiD1n2CWEhPmjWyXw6aNxbC2lIFgGzrdszzi
vRv5L79G3K8exomhHGOJZ7zCxXALQN1xRam+9WktPUAqLQzHQi4231y9oZCOEqN7
ewZnvpOqtNR6zfYAE45HjyIU1ti4uBJRpTD9LDiC/SiSLGXkQlFkqFi2MERxDJvF
aTQifUVy5VpCtCttKoyZcaC1oNZgn4yAJTD6fdCMZoOzMWUNwM6hFOX6UyPxnHn5
z2NuOLXWjd5D6Yj+jLeWvHaBftd1RbfAJxAbd92N8K0ucTIhSO1QkwM/ebA2bLIT
rlHNvisPttDgD24b5QZbQt8GH6eoVLiKYdUgC6ERM/74hNDsBwtp1U9GOVFKkVD9
fk8bzBetuwYp8SJBgpxicPvw1mOLywMadtrO9/kNjywzXRt0z7v6b95jt20IZCED
w39CU3lIEGFVNsiBljoxNezpFO6mIX00msqW1Y8NxU8hLBc+Luf1PsYcViJpAKj3
N48DAZTxytolW86kfBQUBAeObG/kRXnyY5c8U+O91R8AyafieA9TVhxyOJBWezF9
5VNILN9uVy2RRnyqdqJ/CJLsdord31lJ5P/l0+KQIf93Vpnp9iaHj4DB0E8zvpJ5
4lQd0J3w0cSi/QARAQABiQI8BBgBCgAmAhsMFiEEqndY0Tg1bnpBuGeTfaiwzVu9
yx4FAmYzrBwFCRBtVjYACgkQfaiwzVu9yx5x4w/+PnXA+H8qkEgEECgemxcTfpCy
wiaB51ZGt8vBOD8lnrXbFA9fFm81fUcNNjl4oBC1TaVxvJmpzMG83LkhVwSw53YM
r+AlQrnpChOAWEKnDlFphvfHbNZE7kCWtLMQWcQuMpwJetQWwXaT6uVuk2yjKc7k
ifpHtsgcacpIdMV2xiQIA3UU/aOHWhgx7QlIMQhQpN4Xd0TI/0r3exfC10+r4Dxg
CE0IKyHxF5lZaG81yIcCZtFpvb2nLR7F8bzIY0tYSSNqLheHLa0OY12otvMF6T5T
dKhNZw1kc1oeHUNcOAlYKKZHXUGEatN3pdKe5QjpkyIU4++g7NsVnNcHgQhkIikz
DTVUJDYjQyWxBNklSwCQHUuIPtIbbFWdfm62J8Bu9GruYWYfLJJjGugM+Dw3IbaS
WgFMODvL2kL53lwoYjUaNvNoebfLwAp3x1WexbrADTMzTdtTIZXQYRrhDhK+2PIU
9/5ijyf8xODOp1CLBHtSstWp7qnPeEeb8JT2+8XBbRWMsXEJCdxQWBqHdaQnVskB
fLzWt4Ug+DtYXENnKptpT3rij4BE7sjFD4QyAAmR9Hl4uWUdz6KVlMYtOhdcis05
5s+ZFF0//FDZ5OHWNi7TwF8vQOTQAwSZ2YTg+wDwJefMyCPEbIA1hWi3LRgsIiyK
BngSPyDdogCHhFterRI=
=IJDM
-----END PGP PUBLIC KEY BLOCK-----

Triaging and validation

After validating a submitted vulnerability report, an analyst contacts the submitter, using the contact details attached to the report, to acknowledge receipt of the report and to discuss vulnerability details as well as the severity the analyst has assigned.

If the submitted vulnerability was already publicly disclosed and is missing from the Snyk vulnerability database, then, once validated by Snyk, this vulnerability will be added and published in the database.

Notification of the package maintainer

Upon successful validation of a submitted vulnerability, Snyk contacts the maintainer of the package to provide vulnerability details needed to begin any internal resolution process.

Snyk follows a 90-day responsible disclosure and fix timeline, allowing the maintainer of the affected package to ensure a fix is available prior to the vulnerability's being made public. An extension can be provided at the maintainer’s request, and depending on the severity of the disclosed vulnerability, Snyk is happy to wait for public disclosure until a patch is made available.

After 30 days

If the maintainer does not acknowledge or reply to the initial disclosure email within 30 business days of the original notification, Snyk retransmits the vulnerability details to the original point of contact of the affected package and at least one secondary contact if a secondary contact is publicly available.

After 40 days

If an additional ten business days elapse with no response from the maintainer after the second notification (a total of 40 business days), vulnerability details are re-sent not only to the previous two contacts, but also to customers and other affected stakeholders at the discretion of Snyk.

After 50 days

If the package maintainer does not respond to any of the three notification attempts within an additional ten business days following the third notification (50 business days after the original notification), or if the maintainer indicates they do not wish to coordinate disclosure, Snyk may elect to issue a public advisory with no further collaboration.

Acknowledging receipt

Maintainers should acknowledge receipt of the notification with the following details:

• Confirmation that the vulnerability information has been received

• The scheduled timeline for an investigation.

• A point of contact responsible for coordinating and tracking information on the issue from within their organization.

• An estimate of when they expect to complete their initial investigation of the security issue as provided in the notification.

Fix assistance

After the maintainer acknowledges receipt of the notification, Snyk works with the maintainer to determine how to handle the security issue within ten business days. The following tasks are included in this phase:

• Snyk is happy to provide additional information to assist the maintainer in the development of a solution.

• The maintainer and Snyk collaborate to time public disclosure and fix of the issue.

Public disclosure

As part of the public disclosure phase, Snyk:

• Assigns a Common Vulnerabilities and Exposures (CVE) ID for public tracking

• Adds the vulnerability to its public vulnerability database, providing information about the vulnerability and the related fix

Public disclosure may be initiated either by completing the fix assistance phase or through a process failure in prior phases.

During the public disclosure phase, Snyk, and preferably the maintainer, disseminate information about the vulnerability and the fix to the public. Snyk may disseminate information through public email lists, web pages, or any other medium it deems appropriate to reach the intended audiences.