Vulnerability Disclosure Policy
This disclosure policy sets forth the standards and procedures for submission, review and publication of vulnerabilities identified by members of our security community to enable the open sharing of verified information in a responsible way to protect our community and their users. Reports submitted through our online form will be reviewed and handled in accordance with this policy.
We will review vulnerabilities identified in libraries that meet the following prerequisites:
1.1. The Code was released as an Open Source Code and it is not proprietary code or a commercial license requiring payment.
1.2. The Open Source Code was developed by individuals and not by a commercial entity and is not related to any project or side-project of any commercial entity.
1.3. The Open Source Code is accompanied by, or obtained under, a license that details the terms and conditions governing the use of such Open Source Code.
1.4. The Open Source Code license type does not require any modifications of the Open Source Code to be distributed using the same license or a “compatible” license (known approved licenses include MIT, ISC and BSD). The OSS license terms and conditions can usually be found in a LICENSE.txt file.
Note: Files within the Open Source Code repository may have different licenses, therefore to make sure the repository meets these prerequisites, please run additional search for some common license-related terms such as, licen, redist, copyright, public or any common license fragments such as, MIT, GPL, BSD and Apache, for any Open Source Code User intends to check.
1.5. For more information regarding open source license types, User can visit https://opensource.org/licenses.
2.1. Vulnerabilities identified by community members that meet the prerequisites above can be disclosed to ScaAppSec@checkmarx.com directly, or the disclosure form available on our community website at Disclosure Policy – DevHub (checkmarx.com)]. A submitted vulnerability disclosure should contain the following required details:
· Affected module
· Relevant package manager/ecosystem
· Package link
· Vulnerability details
· Steps to reproduce
3. Testing and Validation
Prior to publishing a report on a disclosed vulnerability, Checkmarx researchers will validate the vulnerability as follows:
3.1. The Open Source Code will be tested on a separate production environment or on an external sandbox.
3.2. Checkmarx may contact the user who submitted the disclosure to acknowledge receipt of the submission and discuss the details of the vulnerability.
3.3. The user submitting the disclosure undertakes not to exploit, access or use any vulnerabilities detected in the Open Source Code, in any way or for any other purpose other than for communicating with Checkmarx regarding the vulnerability, as detailed above.
4. Publication of Report
After validating a vulnerability, Checkmarx will notify the maintainer of the applicable Open Source Code, and prepare and publish a report on the vulnerability, according to the following procedure:
4.1. Prior to creating a Vulnerability Report, Checkmarx shall notify the maintainer of the Open Source Code, by email, of the vulnerability detected and any additional relevant information.
4.2. The Maintainer will be given 90 days period, commencing on the date in which the Notification Email was sent to the Maintainer, to fix / patch the vulnerability detected, which period may be extended upon Maintainer’s request.
4.3. Upon receiving Maintainer’s notification that the Vulnerability was remedied or following the expiration of the Remediation Period (including any extension granted by Checkmarx), whichever is earlier, Checkmarx shall prepare a Vulnerability Report, assign a Common Vulnerabilities and Exposures (CVE) number for public tracking, and publish such report, together with any available remediation, to the community website maintained by Checkmarx at Developer Hub – DevHub (checkmarx.com).
For vulnerability disclosure or any clarification please contact us at email@example.com