We believe that working with maintainers to create coordinated security vulnerability policies is important. Why? Here’s one story to illustrate.
Last year, a new security vulnerability was found in the urllib3 library—a powerful HTTP client for Python. If you are using Python, then you’re probably using urllib3.
When one of the core developers of Python 3, Christian Heimes, discovered this security vulnerability, he followed the disclosure policy on the urllib3 GitHub page, which gave instructions on how to notify the maintainers via Tidelift. Tidelift works with all of our participating maintainers to set up coordinated security vulnerability disclosure policies for their projects, which helps avoid risky zero-day security vulnerability scenarios.
Tidelift then took the following measures:
- We worked with MITRE to coordinate the allocation of a CVE for the vulnerability. CVEs provide an industry standard way to refer to a vulnerability across vendors.
- Next, we collaborated with the urllib3 maintainers to implement a fix and have it tested by the original reporter.
- We alerted our subscribers about the existence of this new vulnerability.
- In addition to the information on the security vulnerability’s existence, we also gave subscribers information on which new releases would resolve the vulnerability in their codebases.
- We linked the release notes for users to understand any other changes present in the urllib3 update.
This process—which historically has often taken months with many open source projects—all occurred within 1 day.
If the package hadn’t had a maintainer watching over it, a scenario like this might require that your team spend time forking the library, patching it yourselves, and crossing your fingers that an official patch would be released before you descend into dependency hell.
This is where Tidelift helps. Tidelift ensures that there are maintainers standing behind covered packages who have the financial incentives to fix problems quickly once they are discovered.
In the case of urllib3, all of this was handled before our customers even knew there was an issue. This same scenario has been repeated a number of times since we launched our security vulnerability disclosure process in December 2018.
"Tidelift has made the process of offering a comprehensive vulnerability disclosure process simple for the urllib3 team,” said co-maintainer of urllib3, Seth Larson. “This makes delivering secure code and responding quickly to vulnerabilities easy even for a small team."