Mend Vulnerability Disclosure Policy
How to report a security vulnerability
If you believe you have discovered a security vulnerability that affects open source packages, please report it to us. Mend aims to provide a disclosure program for the community to report open source security issues easily and safely.
To report a security vulnerability, please send an email to email@example.com that includes the specific product and software versions which you believe are affected, vulnerability details and how to reproduce the vulnerability.
How Mend handles these reports
After receiving the report, Mend’s security team affirms the details and confirms that there is a vulnerability.
Mend contacts the project maintainer with the vulnerability details, and works on a public disclosure timeline.
Once the maintainer approves the findings and releases a fix or remediation in a mutually agreed timeline, Mend will publicly disclose the vulnerability as an officially acknowledged CVE Central Naming Authority (CNA).
Mend has a 90-day disclosure timeline, providing the maintainer of the affected package with an adequate timeframe to respond and create a fix to the vulnerability, prior to publication.
If the maintainer does not reply to the initial disclosure email within 15 days, Mend will send a second notification. Mend will provide the maintainer with an additional 15 days to respond once the second notification was sent, providing a total of 30 days to respond from the initial disclosure. If the maintainer does not respond to the two notifications, Mend will issue a public advisory with no further collaboration.
An Advisory which describes the full details of the vulnerability will be made available to the public at Mend vulnerability DB.
Have any questions?
Email us at firstname.lastname@example.org.