Coordinated Vulnerability Disclosure Policy
HeroDevs' comprehensive policy outlining the processes and responsibilities for handling and disclosing software vulnerabilities in coordination with community maintainers.
Policy Overview
HeroDevs, Inc. ("we", or "HeroDevs") provides a separate version of the Community Software (defined below), which is provided by HeroDevs in accordance with the applicable Community Software license obligations ("HeroDevs Software"). In support of the Software, HeroDevs also provides updates, compatibility and security fixes, and other support services (the "Services"), designed to enable the Software to operate materially consistent as the Community Software. The provision of Software and Services that HeroDevs provides is referred to as the "Subscription Services". "Community Software" means the publicly available open source licensed version of the Software.
This policy outlines HeroDevs approach to Coordinated Vulnerability Disclosure ("CVD(s)") for vulnerabilities identified in the Software.
Scope
This policy applies to all vulnerabilities discovered in HeroDevs Software, including in situations where HeroDevs has, or does not have, a partnership with the applicable Community Software project / organization.
Policy Statements
Discovery and Assessment
- Upon discovering a vulnerability in the Software, our security team will conduct a thorough assessment to verify and understand the impact of the vulnerability.
Notification and Coordination
- When there are still project maintainers for later versions of the Community Software, we will notify the project maintainers to ensure evaluation and remediation for active versions and, in those cases, to coordinate disclosure and remediation timing.
Remediation
- HeroDevs will develop and release patches or workarounds to mitigate the vulnerability in versions for which HeroDevs provides Subscription Services.
Disclosure
- In cases where the original organization/community is a CVE Numbering Authority ("CNA"), we will coordinate with their security team on filing the CVE. In other cases, we will be responsible for creating the CVE.
- In all cases, a public disclosure will also be made through our security advisories, detailing the nature of the vulnerability, the affected versions, and the remediation steps.
Responsibilities
HeroDevs Security Team
- Responsible for the discovery, assessment, and initial notification of vulnerabilities.
- Develops and releases patches or workarounds for those receiving Subscription Services for the Software.
HeroDevs Communications Team
- Manages public disclosures and coordinates with stakeholders.
- Ensures timely and accurate dissemination of informat