Mend.io Vulnerability Disclosure Policy
How to report a security vulnerability:
If you believe you have discovered a security vulnerability that affects open source packages, please report it to us. Mend.io aims to provide a disclosure program for the community to report open source security issues easily and safely.
To report a security vulnerability, please send an email to firstname.lastname@example.org that includes the specific product and software versions which you believe are affected, vulnerability details and how to reproduce the vulnerability.
How Mend.io handles these reports:
After receiving the report, Mend.io’s security team affirms the details and confirms that there is a vulnerability.
Mend.io contacts the project maintainer with the vulnerability details, and works on a public disclosure timeline.
Once the maintainer approves the findings and releases a fix or remediation in a mutually agreed timeline, Mend.io will publicly disclose the vulnerability as an officially acknowledged CVE Central Naming Authority (CNA).
Mend.io has a 90-day disclosure timeline, providing the maintainer of the affected package with an adequate timeframe to respond and create a fix to the vulnerability, prior to publication.
If the maintainer does not reply to the initial disclosure email within 15 days, Mend.io will send a second notification. Mend.io will provide the maintainer with an additional 15 days to respond once the second notification was sent, providing a total of 30 days to respond from the initial disclosure. If the maintainer does not respond to the two notifications, Mend.io will issue a public advisory with no further collaboration.
An Advisory which describes the full details of the vulnerability will be made available to the public at Mend.io vulnerability DB.
Have any questions?
Email us at email@example.com.