WhiteSource Vulnerability Disclosure Policy
How to report a security vulnerability
If you believe you have discovered a security vulnerability that affects open source packages, please report it to us. WhiteSource aims to provide a disclosure program for the community to report open source security issues easily and safely.
To report a security vulnerability, please send an email to [email protected] that includes the specific product and software versions which you believe are affected, vulnerability details and how to reproduce the vulnerability.
How WhiteSource handles these reports
After receiving the report, WhiteSource’s security team affirms the details and confirms that there is a vulnerability.
WhiteSource contacts the project maintainer with the vulnerability details, and works on a public disclosure timeline.
Once the maintainer approves the findings and releases a fix or remediation in a mutually agreed timeline, WhiteSource will publicly disclose the vulnerability as an officially acknowledged CVE Central Naming Authority (CNA).
WhiteSource has a 90-day disclosure timeline, providing the maintainer of the affected package with an adequate timeframe to respond and create a fix to the vulnerability, prior to publication.
If the maintainer does not reply to the initial disclosure email within 15 days, WhiteSource will send a second notification. WhiteSource will provide the maintainer with an additional 15 days to respond once the second notification was sent, providing a total of 30 days to respond from the initial disclosure. If the maintainer does not respond to the two notifications, WhiteSource will issue a public advisory with no further collaboration.
An Advisory which describes the full details of the vulnerability will be made available to the public at WhiteSource vulnerability DB.
Have any questions?
Email us at [email protected].