To report a security issue, please email [email protected] with the following information:
- The Chayn product with the vulnerability.
- A short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.
- Complete instructions, including specific configuration details, to reproduce the vulnerability.
Optional information to include if applicable:
- Propose a remediation suggestion if you have one. Make it clear that this is just a suggestion, as the maintainer might have a better idea to fix the issue.
- Credit: List all researchers who contributed to this disclosure. If you found the vulnerability with a specific tool, you can also credit this tool.
- Contact information for further collaboration. If the vulernerability is accepted, we will be happy to collaborate with you, and review your fix to make sure that all corner cases are covered.
You will receive an email from us confirming we have received your bug report.
Chayn is dedicated to working closely with the open source community and with projects that are affected by a vulnerability, in order to protect users and ensure a coordinated disclosure.
If the project team responds and agrees the issue poses a security risk, we will work with the project security team or maintainers to communicate the vulnerability in detail, and agree on the process for public disclosure. Responsibility for developing and releasing a patch lies firmly with the project team, though we aim to facilitate this by providing detailed information about the vulnerability.
Our disclosure deadline for publicly disclosing a vulnerability is: 90 days after the first report to the project team.
We appreciate the hard work contributors and maintainers put into fixing vulnerabilities and understand that sometimes more time is required to properly address an issue. We want project maintainers and contributors to succeed and because of that we are always open to discuss our disclosure policy to fit your specific requirements, when warranted.