Guide to coordinated vulnerability disclosure for security researchers engaging with open source software projects
This repository is a set of resources and reference materials to help security researchers engage with open source projects and perform coordinated vulnerability disclosure (CVD).
If you are new to coordinated vulnerability disclosure, it is recommended you start with the Guide. While it is dense, you will want to be familiar with this information and the concepts presented before you need to address a vulnerability report.
If you are familiar with coordinated vulnerability disclosure, you can get a refresher by skipping to the Response Process section of the Guide, or go straight to the Runbook.
We welcome feedback from OSS project maintainers and security researchers on this guide. Opening a GitHub Issue is the best way to send feedback (see CONTRIBUTING.md for directions on submitting PRs).