Vulnerabilities happen. The question is how you respond when they do. At Netlify we are committed to the safety and security of our customers’ data. As a part of that commitment we are passionate about being transparent when it comes to the responsible disclosure of vulnerabilities in the packages that our community uses to build a better web. As a part of our community you can rest assured that we will not only fix vulnerabilities in a timely manner but we will disclose what happened so that we not only improve but our community improves as well.
Netlify’s commitment to responsible disclosure
The responsible disclosure of vulnerabilities is a key tenant of the Netlify Security Team. In each and every case we will only disclose vulnerabilities that have been fully remediated.
Netlify’s collaboration with bug bounty researchers
We’re passionate about working with our bug bounty research partners to make the Netlify platform better for everyone. Should a researcher come to us with a vulnerability and we are able to extend what they have found, then we will pay out at the extension amount. If you’re an amazing bug bounty researcher, we want to work with you. Have a look at our public bug bounty program today.
What can Netlify customers and the community expect going forward?
If we see something, and it constitutes a Critical or High CVE rating, then you can expect that we will responsibly say something about it. Our goal is that we make our community of amazing developers better through transparent disclosures so that we can make the web a safer place together.
48 hour notification policy
Should there be a vulnerability where we do need our customers to take action, you can expect that once we’ve completed our investigation you will be contacted within 48 hours, which is the same as our security incident notification policy. Our goal with this process is two-fold: 1) we’ve verified that our customers and community are no longer vulnerable; 2) we’ve verified that customer(s) and the community were not exploited during the exposure window.
Responsible disclosure of findings to Netlify
You can help us make the web not only a better place but a safer place as well by responsibly reporting your vulnerability findings through our public bug bounty program.