From 5dbc9987ebfa42f742072e37bee535d6c08684dc Mon Sep 17 00:00:00 2001 From: Jonathan Leitschuh Date: Thu, 7 Nov 2024 15:38:16 -0500 Subject: [PATCH] Restore original opening paragraph --- docs/Outbound_Vulnerability_Disclosure_Policy_template.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Outbound_Vulnerability_Disclosure_Policy_template.md b/docs/Outbound_Vulnerability_Disclosure_Policy_template.md index 93c0926..9ac7010 100644 --- a/docs/Outbound_Vulnerability_Disclosure_Policy_template.md +++ b/docs/Outbound_Vulnerability_Disclosure_Policy_template.md @@ -18,7 +18,7 @@ Open an issue under the [OpenSSF Vulnerability Disclosure Working Group Reposito ## Manual Disclosure Policy -We believe that vulnerability disclosure is a collaborative, two-way street. All parties, maintainers[^1], as well as researchers, must act responsibly. This is why we adhere to a maximum 90-day public disclosure time limit, the “Time Limit”. We immediately privately report to maintainers when we discover vulnerabilities within their software, the “Notice Date”. If a project responds to the private report within 21 calendar days, the details will be publicly disclosed (shared with the defensive community) after 90 days, the “Publication Date”, or sooner if the maintainer releases a fix prior to the Publication Date. That Publication Date can vary in the following ways: +We believe that vulnerability disclosure is a collaborative, two-way street. All parties involved, including but not limited to maintainers[^1], as well as researchers, must act responsibly. This is why we adhere to a maximum 90-day public disclosure time limit, the “Time Limit”. We immediately privately report to maintainers when we discover vulnerabilities within their software, the “Notice Date”. If a project responds to the private report within 21 calendar days, the details will be publicly disclosed (shared with the defensive community) 90 days after the Notice Date, on the “Publication Date”, or sooner if the maintainer releases a fix prior to the Publication Date. That Publication Date can vary in the following ways: - If a Time Limit is due to expire on a weekend or major public holiday, the Publication Date will be moved to the next normal work day. We are a global community and if there is a conflict, we kindly request that maintainers communicate these conflicts up-front. - We expect maintainers to respond within 21 calendar days of the Notice Date to let us know how the issue is being mitigated to protect impacted end-users. If we do not receive any engagement from the maintainers within 35 days of the Notice Date, that affirms their intention to fix the vulnerability within the Time Limit, we reserve the right to fully publicly disclose the vulnerability at that point.