Public Security Disclosure Policy
HeroDevs' guidelines and procedures for reporting, handling, and disclosing security vulnerabilities in their supported open source software products.
HeroDevs is committed to ensuring the security and compatibility of open source software after end of life. As a company with roots in open source, we value transparency and collaboration in addressing security issues to ensure the safety and integrity of our products.
Scope
Our security disclosure policies apply to all products developed and maintained by HeroDevs including but not limited to:
- AngularJS
- Angular
- Vue 2
- Drupal 7
Identifying and Reporting Vulnerabilities
We encourage security researchers, developers, and users to report any security vulnerabilities discovered in our software promptly and responsibly.
Please Do
- Send an email to disclosures@herodevs.com with the subject line: "Security Vulnerability Report - Product Name"
- Include any relevant supporting materials, such as proof-of-concept code or screenshots
- If possible, provide suggestions for mitigation or remediation of the vulnerability
- Wait for a response from the HeroDevs security team. As some vulnerabilities take longer than others to investigate and resolve we will aim to have an open line of communication throughout the process
Please Do Not
- Publicly disclose the vulnerability until assessment and remediation are complete and communicated
- Exploit vulnerabilities in a way that harms customers or the open source community
- Execute or attempt to execute denial of service, spam, or other brute force attacks against HeroDevs' products or services
- Submit sensitive or privileged information. If such information needs to be shared as part of the reproduction and/or disclosure, please describe the information and wait to receive instructions to securely transfer the information
Response Time
Upon receiving a vulnerability report, our security team will acknowledge the receipt of the report within 2 business days. We will then assess the reported vulnerability and its potential impact on the software we support.
Our goal is to provide timely updates on the status of the reported vulnerability and any planned remediation efforts. However, the actual response time may vary depending on the complexity of the issue and other factors.
Contact Information
For security-related inquiries or to report a vulnerability, please contact disclosures@herodevs.com.
Policy Updates
HeroDevs reserves the right to update or modify this security disclosure policy at any time without prior notice. Updates to the policy will be reflected on our website and communicated through appropriate channels.