This page documents our process for handling security vulnerabilities in open source packages. To report a vulnerability, see our reporting page.
Here are the steps we follow:
- The person discovering an issue privately reports it to security@tidelift.com.
- The Tidelift security team will reply to the person reporting the issue within two business days to acknowledge receipt.
- We expect that packages using Tidelift as their security contact will have maintainers signed up to work with Tidelift (we call these maintainers lifters).
- The Tidelift security team will contact the lifter or lifters for the affected package and work with them to investigate the report.
- If a package has no lifters, the security team will attempt to direct the reporter to an appropriate alternative place to report the issue.
- Involved lifters will keep the report confidential. This means avoiding public GitHub issues or commits.
- Once a report has been investigated, the Tidelift security team will notify the reporter whether the report has been accepted or rejected, with an explanation.
- If a report is rejected, there is nothing else to do. If accepted, the process continues.
- The Tidelift security team will work with the maintainer to obtain a CVE number for the vulnerability.
- The lifters for the affected package will prepare a fix and an accompanying announcement.
- If necessary, Tidelift will help coordinate a release schedule for the announcement and release of the fixed release(s).
- Lifters will commit the fix and publish fixed release(s) and the information about the vulnerability will be made public. The commits and releases should be made as close to the announcement as possible.