As announced last week by our good friends at the Node.js Foundation, Snyk has agreed to take over from the amazing Node.js ecosystem vulnerability di

Snyk takes on responsibility for Node.js ecosystem vulnerability disclosure program

submited by
Style Pass
2021-05-27 19:00:09

As announced last week by our good friends at the Node.js Foundation, Snyk has agreed to take over from the amazing Node.js ecosystem vulnerability disclosure program. As a company that’s been part of this program from a very early stage — and has been inspired by it to create our own multi-ecosystem disclosure program — it is a great honor to have been entrusted with this responsibility, and we thank the Node.js Foundation sincerely for their trust in this matter.

Snyk has always seen responsible vulnerability disclosure as one important way we can give back to the open source community. We started our program over three years ago, and have helped responsibly disclose hundreds of vulnerabilities in the ecosystem during this time. Our team works with both individual researchers looking to disclose a single vulnerability, as well as with academic groups and institutions working on mass disclosures. It’s important to stress that we see our role in this process not only to help disclose in a safe fashion, but also to help reduce the noise for maintainers by verifying reports. Additionally, we strive to reduce noise in the community as a whole by taking a measured and collaborative approach to disclosures to make sure we are not flooding the ecosystem with irrelevant reports.

In terms of handover, every reporter who has an outstanding disclosure report open in the Node.js ecosystem program will have received an email informing them of the reports closure and pointing them to disclose the vulnerability using the Snyk vulnerability disclosure form. Snyk’s dedicated team of security analysts and researchers will then triage your reports, verify them, and then reach out to the maintainers of the reported packages to begin our responsible disclosure process as per our disclosure policy. Once reports have been verified by the maintainers — and hopefully after a fix has been issued — we will publish the vulnerability in our public database, as well as issue an official CVE accredited to the reporter.

Leave a Comment