This was inspired by some statistics published in this report:
https://snyk.io/stateofossecurity/
* 2.89 years is the median time from when a vulnerability was
introduced to when it was publicly disclosed
* 75% of vulnerabilities are not discovered by the maintainer
* 79.5% of maintainers said that they had no public-facing disclosure
policy in place
* 21% of maintainers who do not have a public disclosure policy have
been notified privately about a vulnerability
* 73% of maintainers who do have a public disclosure policy have been
notified privately about a vulnerability
We also got some inspiration from this post for the disclosure guidelines:
https://titanous.com/posts/security-disclosure-policy-best-practices
... although we obviously can't afford bug bounties and reject the
idea of 24h support.
↧