My Profile Photo

Sheogorath's Blog

Snyk disclosure handling

Today I learned that one can report found vulnerabilities to the company “Snyk” which will take care of the responsible disclosure procedure. Means they will take the report, validate it, assign it a CVE, contact the maintainers and disclosing it to the public after 90 days.

I came across it, because I found a vulnerability in a package and wanted to check if it was already reported there. Maybe I’ll make my life easier next time, and just let them do the responsible disclosure as it saves me some hassle with unresponsive maintainers. Anyway, I’m quite sure other security companies do that as well, as it’s basically their bread-and-butter-business to have do disclosures and have vulnerabilities as early as possible, but as I came across it, I thought it was quite interesting to see that they make it that easy to report problems.