Snyk takes on responsibility for Node.js ecosystem vulnerability disclosure program

As announced last week by our good friends at the OpenJS Foundation, Snyk has agreed to take over from the amazing Node.js ecosystem vulnerability disclosure program. As a company that’s been part of this program from a very early stage — and has been inspired by it to create our own multi-ecosystem disclosure program — it is a great honor to have been entrusted with this responsibility, and we thank the Node.js project sincerely for their trust in this matter.

Snyk has always seen responsible vulnerability disclosure as one important way we can give back to the open source community. We started our program over three years ago, and have helped responsibly disclose hundreds of vulnerabilities in the ecosystem during this time. Our team works with both individual researchers looking to disclose a single vulnerability, as well as with academic groups and institutions working on mass disclosures. It’s important to stress that we see our role in this process not only to help disclose in a safe fashion, but also to help reduce the noise for maintainers by verifying reports. Additionally, we strive to reduce noise in the community as a whole by taking a measured and collaborative approach to disclosures to make sure we are not flooding the ecosystem with irrelevant reports.

In terms of handover, every reporter who has an outstanding disclosure report open in the Node.js ecosystem program will have received an email informing them of the reports closure and pointing them to disclose the vulnerability using the Snyk vulnerability disclosure form. Snyk’s dedicated team of security analysts and researchers will then triage your reports, verify them, and then reach out to the maintainers of the reported packages to begin our responsible disclosure process as per our disclosure policy. Once reports have been verified by the maintainers — and hopefully after a fix has been issued — we will publish the vulnerability in our public database, as well as issue an official CVE accredited to the reporter.

It’s important to note that due to privacy and GDPR issues, the Node.js project will not be passing on any contact details of reporters to us directly. Furthermore, this handover is opt-in only. Therefore we do require reporters to resubmit their disclosures to us, and so we apologise for any inconvenience that might cause, but will do our best to make sure that the disclosure process going forward is as frictionless as possible.

We will continue to invest into our disclosure program, both internally and externally to help make it as efficient and helpful as possible for both reporters and maintainers. As always we invite the community to provide us feedback on the process as you collaborate with us.

And if you want to hear more about the importance of responsible vulnerability disclosures, I'd encourage you to check out a discussion I recently had with Liran Tal, Director of Developer Advocacy here at Snyk.