This page documents our process for handling security vulnerabilities in open source packages. To report a vulnerability, see our reporting page.
Here are the steps we follow.
- The person discovering an issue (the reporter) privately reports it to firstname.lastname@example.org.
- The Tidelift security team will reply to the reporter within two business days to acknowledge receipt.
- We expect that packages using Tidelift as their security contact will have maintainers signed up to work with Tidelift (we call these maintainers lifters).
- The Tidelift security team will contact the lifter or lifters for the affected package and work with them to investigate the report.
- If a package has no lifters, the security team will attempt to direct the reporter to an appropriate alternative place to report the issue.
- Involved lifters will keep the report confidential. This means avoiding public GitHub issues or commits.
- Once a report has been investigated, the Tidelift security team will notify the reporter whether the report has been accepted or rejected, with an explanation.
- If a report is rejected, there is nothing else to do. If accepted, the process continues.
- The Tidelift security team will obtain a CVE number for the vulnerability.
- The lifters for the affected package will prepare a fix and an accompanying announcement.
- The Tidelift security team will share the fix and draft announcement with the reporter.
- Tidelift, the lifters, and the reporter will negotiate the fix, announcement, and release schedule.
- With an announcement plan in place, lifters will commit the fix and publish fixed release(s). The commits and releases should be made as close to the announcement as possible, and should not mention that they address a security vulnerability.
- If the project normally makes release announcements, those should go out as normal, but without discussing the security vulnerability.
- The vulnerability announcement should come after a new version of the package is available. It should be sent to:
- the same destinations as any release announcement
- the vulnerability reporter
The email should include the CVE name(s), project name, and affected versions in the subject.