This post first appeared on the Linux Foundation Blog.
In the digital age, security is paramount for building trust. With the constant rise of digital threats across all layers of our software infrastructure, organizations must make security a top priority. Security is a core priority at the Linux Foundation. We are dedicated to continuously improving our security practices as are our project communities.
Today, we’re introducing our new vulnerability disclosure policy, which clarifies how vulnerability reporters should connect with the Linux Foundation project maintainers who are able to resolve issues.
The Need for Clearer Vulnerability Reporting
The Linux Foundation hosts some of the world’s most critical and popular software projects today, including the Linux kernel, Node.js, PyTorch, and Kubernetes, collectively forming the backbone of many internet and enterprise solutions. We also host hundreds of project communities that do not have the resources a large, well-known project community may attract.
The reality remains the same across the spectrum of projects: all open source projects must be prepared to process vulnerabilities discovered in their codebase. Some end users and security researchers (aka “finders”) have found it challenging to know how best to report vulnerabilities, especially if they’ve never reported a vulnerability to a particular open source software (OSS) project before. At the Linux Foundation we want to clarify the process for all projects. The new guidelines are just one step as we look to incrementally and continuously improve.
The action formula outlined in our policy is simple: report a vulnerability directly to the LF foundation or project involved in its development. We don’t want to create any impediment between the vulnerability finder and the project that can fix it. If the vulnerability is in the main LF website or infrastructure, we ask finders to use the channel dedicated to those reports.
However, our reporting policy doesn’t stop there; We also provide important tips and links to additional resources, such as a guidance document to help finders who have never reported a vulnerability to an OSS project. Additionally, we advise LF foundations and projects to help them explain their reporting process to finders. For example:
- Some finders want public credit, while others do not want any public credit. We ask finders to tell us which they’d prefer.
- Some LF projects and foundations have a bug bounty program, while others don’t. In cases where there’s a bug bounty, its rules apply.
Some laws and regulations may impact security research. You should become familiar with them and consult legal counsel if you have any questions. The LF is a global organization, and we simply can’t provide legal advice to everyone in every possible situation. We also can’t promise what others will do. However, we (the LF) will not sue anyone simply for reporting vulnerabilities; we encourage such reports. This new policy means to clarify that it is safe to report vulnerabilities to us so we or our communities can fix them.
The Linux Foundation’s new Security Vulnerability Disclosure Policy is part of our commitment to a more secure future. It marks a proactive step in involving the community in improving the security of the software we all depend on.