Sonatype on Responsible Disclosure
Sonatype prides itself on its unwavering commitment to data quality and integrity, ensuring the highest standards are consistently met. Part of our commitment to the safety of OSS usage is ensuring we responsibly disclose zero-day vulnerabilities. The process an organization follows on vulnerability disclosure is the difference between chaos and a clean fix. We follow industry standards of responsible disclosure as listed by OWASP. This document provides an overview of Sonatype’s responsible disclosure process.
Responsible Disclosure Process
Discovery
A new vulnerability is reported to or discovered by Sonatype.
Internal Process
Our internal process includes reporting, verification & data logging.
Contact
Identifying project’s point of contact.
Sonatype makes every reasonable effort to identify the project owners of the original project to resolve the security breach.
If there's no point of contact, we have no choice but to reach out publicly, but Sonatype will make every effort to — we try to give the bare minimum information in order to protect companies from the vulnerability. We are just trying to get their attention so we can communicate privately.
Patch
From the first date of contact between Sonatype and the project maintainers, the project has 90 days to provide a patch. We will work with the project owners to extend the timeline if reasonable efforts are being made to publish a fix.
Public Disclosure
Publish the vulnerability to the National Vulnerability Database when either the vulnerability is fixed or 90 days has passed — whichever happens first.
Questions You May Have
Why does Sonatype follow the principles of responsible (aka coordinated) disclosure and not partial or full disclosure?
Private disclosure is when the vulnerability is only reported privately to the organization. Sonatype does not use this model because in cases where the vendor is unresponsive or chooses not to address the vulnerability, the specific details might never be disclosed to the public.
Adopting the full disclosure approach involves promptly revealing comprehensive information about a vulnerability as soon as it's detected. This approach goes against Sonatype’s goals to unite software developers, application security professionals, operators, engineering leaders, and legal teams to manage their open source components safely so that they can focus on innovation. This approach implies that all intricate details, which might even encompass exploit code, become accessible to potential attackers, sometimes preceding the availability of a patch. Full disclosure is predominantly employed when organizations disregard reported vulnerabilities, intending to compel them to create and release a solution.
Why does Sonatype have a 90-day disclosure policy?
Responsible disclosure strikes a balance between partial and full disclosure in order to be able to keep software- producing organizations — and the world — safe. Sonatype makes every reasonable effort to contact project owners and will work with them to ensure a patch is released.
Why does responsible disclosure matter?
Responsible disclosure promotes security and stability of software systems. When security researchers discover vulnerabilities, responsibly disclosing these vulnerabilities to the affected parties allows them to address and patch the issues before malicious actors can exploit them. This process helps prevent potential cyberattacks, data breaches, and disruptions, ultimately safeguarding users' sensitive information, privacy, and the overall functionality of digital systems.
Do I need to alert project owners of vulnerabilities identified by Sonatype?
No. This document, describing our disclosure policy and process, including alerting project owners, means you do not need to.