451 Research special report on managed open source now available. DOWNLOAD NOW

Why coordinated security vulnerability disclosure policies are important

Jeremy Katz
by Jeremy Katz
on January 21, 2020

We believe that working with maintainers to create coordinated security vulnerability policies is important. Why? Here’s one story to illustrate.

Last year, a new security vulnerability was found in the urllib3 library—a powerful HTTP client for Python. If you are using Python, then you’re probably using urllib3. 

When one of the core developers of Python 3, Christian Heimes, discovered this security vulnerability, he followed the disclosure policy on the urllib3 GitHub page, which gave instructions on how to notify the maintainers via Tidelift. Tidelift works with all of our participating maintainers to set up coordinated security vulnerability disclosure policies for their projects, which helps avoid risky zero-day security vulnerability scenarios.

Tidelift then took the following measures:

  1. We worked with MITRE to coordinate the allocation of a CVE for the vulnerability. CVEs provide an industry standard way to refer to a vulnerability across vendors. 
  2. Next, we collaborated with the urllib3 maintainers to implement a fix and have it tested by the original reporter.
  3. We alerted our subscribers about the existence of this new vulnerability.
  4. In addition to the information on the security vulnerability’s existence, we also gave subscribers information on which new releases would resolve the vulnerability in their codebases.
  5. We linked the release notes for users to understand any other changes present in the urllib3 update.

This process—which historically has often taken months with many open source projects—all occurred within 1 day

If the package hadn’t had a maintainer watching over it, a scenario like this might require that your team spend time forking the library, patching it yourselves, and crossing your fingers that an official patch would be released before you descend into dependency hell

This is where Tidelift helps. Tidelift ensures that there are maintainers standing behind covered packages who have the financial incentives to fix problems quickly once they are discovered.

In the case of urllib3, all of this was handled before our customers even knew there was an issue. This same scenario has been repeated a number of times since we launched our security vulnerability disclosure process in December 2018.

"Tidelift has made the process of offering a comprehensive vulnerability disclosure process simple for the urllib3 team,” said co-maintainer of urllib3, Seth Larson. “This makes delivering secure code and responding quickly to vulnerabilities easy even for a small team."

Imagine a world without zero day fire drills. Sounds nice, doesn’t it? The Tidelift Subscription gets us one step closer to that world. Tidelift researches the health, security, and license status across all of your dependencies and provides you with access to hundreds of open source experts that are paid to fix vulnerabilities for you.

Curious how it works? You can try all the features of the Tidelift Subscription for free for 14 days. Start your free trial now.

Try the dependency analyzer