Program Vulnerability Disclosure Policy
Alibaba Open Source team believes that developers and researchers should act responsibly for the vulnerability. Vulnerability disclosure policy could result in protecting our users of the Internet.
Scope of Product
This policy only works on following programs:
Reporting
If you believe you have found any security (technical) vulnerability in the products or services of Alibaba Group, you are welcomed to submit a vulnerability report on ASRC platform (https://security.alibaba.com/ ). You can find the state of your report on the platform.
In case of reporting any security vulnerability, please be noted that you may include following information (Qualified Reporting):
- The product name.
- A detailed description with necessary screenshots.
- Versions of components related to the vulnerability.
- Steps to reproduce the vulnerability and your advice to fix it.
- Other useful information
Processing and Reward
For the policy of vulnerability scope and reward, you can visit Vulnerability Rewards Program V2.0. The related open source products are defined as core businesses.
Vulnerability Disclosure Policy
Related open source vulnerabilities reported to the ASRC will be disclosed in Vulnerability Notes to the public 90 days after the initial report. Extenuating circumstances, such as active exploitation, threats of an especially serious (or trivial) nature, or situations that require changes to an established standard may result in earlier or later disclosure.