We take the security of the whole open-source web seriously and truly value the security community.
The disclosure of security vulnerabilities in open-source web application components allows developers and vendors to ensure the security and privacy of their users.
We require that all researchers:
• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
• Use the identified communication channels to report vulnerability information to us; and
• Keep information about any vulnerabilities you’ve discovered confidential between yourself, Patchstack and the vendor until we’ve had 30 days to resolve the issue.
Third-party independent researchers or companies may submit vulnerabilities by using web form (https://patchstack.com/red-team/) or directly by email: firstname.lastname@example.org.
• Patchstack validates all vulnerabilities.
• After validation, Patchstack will contact the software author/vendor to provide all information about the vulnerability so the software author could start the patching procedure.
• We will negotiate all details like patch release date and disclosure date with the software developer to ensure that after the release of the patched version, significant numbers of software users updated their software versions to the latest patched version.
• Patchstack will make public disclosures on the Patchstack Vulnerability Database (https://patchstack.com/database/).
• All disclosed vulnerabilities will have their database entry (separate entries for each vulnerability type when software has multiple vulnerabilities). We also provide additional information like CVSS 3.1 base score, OWASP TOP10 type, researcher name and contacts (if the author wishes so), and more related information.
• If the software is abandoned, we will mark it as such. Abandoned software vulnerabilities may be disclosed even if no patched version of the software is available. Its developer is inaccessible by known contacts or ignores attempts to contact.