Here’s what you need to know
We take the security of the whole open-source web seriously and truly value the security community.
The disclosure of security vulnerabilities in open-source web application components allows developers and vendors to ensure the security and privacy of their users.
Guidelines
We require that all researchers:
• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
• Use the identified communication channels to report vulnerability information to us;
• Keep information about any vulnerabilities you’ve discovered confidential between yourself, Patchstack, and the vendor until we’ve had 30 days to resolve the issue.
General
Third-party independent researchers or companies may submit vulnerabilities using the web form (https://patchstack.com/report/) or by email: audit@patchstack.com.
• Patchstack validates all vulnerabilities.
• After validation, Patchstack will contact the software author/vendor to provide all information about the vulnerability so the software author can start the patching procedure.
• We will negotiate all details like the patch release date and disclosure date with the software developer to ensure that after the release of the patched version, significant numbers of software users update their software versions to the latest patched version.
• Patchstack will make public disclosures on the Patchstack Vulnerability Database (https://patchstack.com/database/).
• All disclosed vulnerabilities will have their database entry (separate entries for each vulnerability type when software has multiple vulnerabilities). We also provide additional information like CVSS 3.1 base score, OWASP TOP10 type, researcher name, contacts (if the author wishes), and more related information.
• If the software is abandoned, we will mark it as such. Abandoned software vulnerabilities may be disclosed even if no patched software version is available. Its developer is inaccessible by known contacts or ignores attempts to contact.
• Patchstack will try to contact the vendor via contacts provided on the product page. We will not create accounts for support forums or ticketing systems to report the vulnerability. The vendor is fully responsible for the ability of any user to contact him and report the issues related to his software. If there's no way to report the vulnerability, we will report it to the management of the repository that hosts the vulnerable component.
• All vulnerabilities will be disclosed after 30 days from the first attempt to contact the vendor. Patchstack keeps the right to postpone some of the disclosures. Earlier disclosure is made if the same vulnerability was found by a third party during the 30 days period and information is made publicly available.
