Vulnerability Disclosure

Disclosure of a vulnerability in an open-source package

Seal Security values the security community and believes that responsible disclosure of security vulnerabilities in open source packages is crucial for ensuring the overall security of the open source ecosystem. We aim to provide a disclosure program for the security community to report security issues found within managed open source code.

The Seal Security responsible disclosure program strives to protect both the maintainer and the reporting researcher. It allows maintainers and developers who use open source code to safely benefit from the discovery of these vulnerabilities before public disclosure, while also crediting researchers for their dedication.

Vulnerability disclosure reporting process

  1. Submission: Researchers and developers are invited to submit detailed reports outlining identified vulnerabilities in open source code.

  2. Validation: The Seal Security security team meticulously evaluates each report, assessing the validity of the claims and the severity of the associated risks.

  3. Maintainer Notification: Upon validation, Seal Security promptly contacts the owner or maintainer of the affected project through various channels.

  4. Collaboration & Disclosure Timeline: Seal Security collaborates with the maintainer by providing vulnerability details, suggesting potential fixes, and establishing a mutually agreeable timeframe for public disclosure.

  5. Public Disclosure: Once a fix is available, Seal Security publicly discloses the vulnerability, acknowledging the researcher's contribution.

  6. CVE Assignment: As a recognized CVE Central Naming Authority (CNA), Seal Security assigns a unique CVE identifier to the disclosed vulnerability.

Reporting vulnerabilities

Vulnerability reports can be submitted directly to disclosure@sealsecurity.io. The report must contain the following details:

  • Affected package

  • Relevant package manager

  • Vulnerability details

  • Steps to reproduce

Upon receiving the report, Seal Security validates and documents the reported vulnerability prior to contacting the maintainer.

Vulnerability disclosures sent by email can also be encrypted using the following PGP key:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGaT5iABEADUXBETLi6VRqF0CEQlmvBUQVtsBd8wtCyP5oQPV/+Ph0rkZPXA
NtLe1CcbTE+8OlC1WXuq2Dp/PzrqwDewAevJd7xGjf8Sj6c+oMt+ulUBuKI7pMYf
62rbQ5f8UJf7DuGaap2AY2JBIDVVwEMThBFPabuT5VVMXL5xtFF/1pACnnsZ8Ylu
aaF6TBk8cc+3pfbghL/KujHQOxIUuS3KT+vzhISDHNjWuWJC5aSHRdKV1RD/Zxme
NQqEk9l9kTmzeTMb1pNWPWygQ9ARFBldt/L3GSgoKhp6eZL+B+YGsWpJHjLELiHt
KI6A0Y4soORmXU67XMZgchhRQwViolWGOMEwTD2q+Fk6DHo+iSDILBGwwm5fROvV
z+6elB/ki+YrEVTMf4OuMEOkve6vSXXKzriNXgcljN0K5n2FOFoO5IZv17rFVn9a
Vxr+yNotmvXvP3SkqJohEfVpANImTHqoywhvaE4LBOoxHpszgX/nKXpkoqo+qJJb
sZhFb3ZYUM6qorMuAaS1111lDNbCrZ8rAbiqmJ9pDLPcYFbNyeyiL/ZHnIJwvGM/
185J6d+uJrCU5dou7vbdwNBTGvC82rnC72wgH59UoEEPKwEU3B4YFNUEZlYxhi0C
rYMAIFFbpZby06ppdbH36rz+Qof6pydtzNVonNALb9e44AqFnxwBh4SePQARAQAB
tCVTZWFsIENOQSA8ZGlzY2xvc3VyZUBzZWFsc2VjdXJpdHkuaW8+iQJOBBMBCAA4
FiEEkrmjcnkXMgZZNw/85y8+628hkioFAmaT5iACGwMFCwkIBwIGFQoJCAsCBBYC
AwECHgECF4AACgkQ5y8+628hkirRLg/+NdiPGsBQBuTRRQVZafafNruCQ3RC2I0C
WjKlHlIWNGS2j+tX3FK10rM74gj5VufOmVc9KYExNZ1w77jzu3yXJwSx3u5VWyDn
7aSA1EeZ8iMl9TE0hkPgI3qVzA1aQ7p0Ii/OmIg4xF5uxjht5lFFRHvIEHShD5ln
qgCQRxAzkODUBZNtv3KyCOqO6lk4FttPUPUs17ByNous+oxFdcqrQ0LIGqPobgPI
oFHlA50+t677OwrizrtUdnMeL3925j8GH8dIwZnhbzK8ln5l5xcUxQFielTp14gr
fFxDrMSf5+AW4n5X/zk5djMhh8tMiPoN1csv0p9LefolqjFp4yc3dXby0Xk5manj
LwcZIShCHwwVrp72hiEXrB+RXGiiflaGf3nYPTV+6N+Yz8VXVOLXY+CKcnm8A8Zh
BRb/GgYwEYJni0ZpTmfoBMp2KbeNZKupJBCeMwTyDh1MFmx5P/83NoZv6f/opNjW
Q/0GFAjVQbiMR1vooSZZu3ZViRJ6INHntXo6oF1lXEWJkEvrTjVOf3R9Q3sn+fzx
RyLb5BBobvZyVN3s9uVqN9RvUJ2tw2V7W4m2Kqjxj3gcCL3SMy8+FgBxK+VfoLfF
CHJrb0Zyh6b7Qgox5kbeGmRLIaejbP5IaIU6wZ/Ngsbm+DDcmJSaOfdzqA2UrKZJ
5EoZfqyCsZ25Ag0EZpPmIAEQAN7ug3zr132+GpL8Veb8EjXTe8EVgQwJFec4LrZv
RdU8WeX74cBquMHSC12YeOXanuuoCLBkOvVWMAPJKlmDQlE3BQSjw6Tp6oAnYq2Q
b2GJQlA+mZQUy/m6Igrbfv3TlL0HNucUjPxe/uD3RFCpK8g5g1/vmKvwp/xO4/fw
ZT+HRGFYW+4mTqCrD9LsJLm38oAKEC5P3ODnLDMQltazZwn2LreCZUVUUlmwCaoE
yEurbG6Ymr+sY0UxksuvQvWWtth7cHn9HrP0DkyT3/uPXxA3cUzWElwzw8k3Ep1L
3n1r5erSshZ4KAMUEDauoIDnqztOHlxoCyfR56cvHmGPbbYVuAjd2vqunMhPceL5
Q+Jps3YasoPHgEmpgXOl8yIfQ69iWigJZTLx+3lZZHtkIztplkNFA9uiO3HGprK5
2XD39dyUV/I9kACm5qsmD5t/VMJTwME2gFOhGO6iUuGNk2TJg/Oy8kV5GIBDT/R0
nne5CLxzU9glYDCQd+wnv44Jfgv9lpEmWpJFxgHENsl63JK1KzUiIp7vVV+pRnN3
iQ6rjU7GpYTJv/kUO6AjfTAAkWaHfGNCy8kyuZ4mUqRewgxNzrtmen1CuFUx+TX/
MCXpLqjOy3XllgeTVsS3mm6zCxsBhfLNxaaBr1g11FAlBCECZEwP5ddvTvS8BfwN
hLqNABEBAAGJAjYEGAEIACAWIQSSuaNyeRcyBlk3D/znLz7rbyGSKgUCZpPmIAIb
DAAKCRDnLz7rbyGSKhTuD/0RC+qciawJ1qEX3PbBtjMEQlKDAKwInziJbkledgLu
EVOlyV7X+wdVSqDf3xcBhlohSpqylkudAuLZlmepD/VnRjkQfWh6ZnCRUsak1I3L
i7KonTRHjbhsz2cj1aYU3Gb5/K//n6xpuQ6PBedTfAgeo7BXQus9DCOSZJhDX5qs
ANLyglgeawP3f6QNLFYqqfC309z+62TBUcaTHxKTwqBswzqEzreRqkraZPJgyGVJ
A6mc2UkBiLK3XEg0+FO2ea6mx0JjNfccbCeiVjHWf4VTDkAquKnOPH2+CbDEQfHq
caDZTk+7Munf13TbW55XoyzObIkFOUOr4DBaEYIm6UKVF0RHjzC+hO53Y1Ef2NxS
JqqqqaZgM9Cem7kkgPSd0sqXjaFM6gs/RFY1XuO/N1vqFk9qrCV8blXDE/MIe5CF
ac7y21pgC5vq6zUD/IrYGvExn2/Ur6OFXygIsUiKozBrc1d1hbareuSMxXeFXvUA
fIIp8Su2EgePjSIyqNMteTllM6GNmBaY2lNqnVSE9rSHXFPYXCtzJEN2ArVcS/xs
DDEevi77b6le2EeePOByk8CjELsSVfi2572vuHABelDD+BsW1UBdnj7gmvdrwRjX
BfDgOOcc18DISIRZMnecOK+VX/7ige1tTMHTombNWbCzWlY4mwCPWzIMC6B83r3V
fw==
=+PE7
-----END PGP PUBLIC KEY BLOCK-----

Vulnerability validation

After validating a submitted vulnerability report, a security analyst will reach out to the submitter using the provided contact details. This communication acknowledges receipt of the report, discusses the vulnerability details, and confirms the assigned severity level.

Working with the maintainers

Upon successful validation of the vulnerability report, Seal Security promptly contacts the affected package's maintainer. We'll share detailed vulnerability information to facilitate their internal resolution process.

Coordination:

Maintainers should acknowledge receipt of the vulnerability report, and provide a point of contact for further coordination, and their expected remediation timeline.

Seal Security will then provide any additional information that will assist the maintainers in the development of a security fix.

The maintainers and Seal Security will then collaborate on the public disclosure timeline.

Responsible disclosure timeline:

Seal Security adheres to a 90-day responsible disclosure timeframe. This allows the maintainer ample time to develop and release a fix before the vulnerability is publicly disclosed. Extensions can be granted upon request, especially for critical vulnerabilities, to ensure a patch is readily available before public disclosure.

Following up (Day 30):

  • If we haven't received an acknowledgement or response from the maintainer within 30 days, we resend the vulnerability details to the initial point of contact.

  • Additionally, we attempt to reach out to a secondary contact listed publicly if available.

Escalation and disclosure consideration (day 45):

  • If there's no response after another 15 days (total of 45 days), we may escalate the communication.

  • This escalation could involve re-sending the details to all previous contacts and potentially notifying relevant stakeholders or customers at our discretion.

Public disclosure (after day 60):

  • If there's no response after another 15 days (total of 60 days), or if the maintainer expresses no desire to collaborate on disclosure, we may issue a public security advisory.

Public disclosure

Seal Security will assign the vulnerability a CVE ID, and share information about the vulnerability and the related fix on its website.

Public disclosure may be initiated either by failure to respond in a timely manner in accordance with the responsible disclosure timeline, or in coordination with the package maintainers.

After the public disclosure, Seal Security may share information about the vulnerability and the fix to the public through any medium it deems appropriate.

PreviousFAQ

Last updated