Vulnerability Disclosure Policy
Open Design Alliance welcomes vulnerability reports from security researchers, the general public, and any other source to help improve our product security.
If you believe you have discovered a vulnerability in any of our products, please submit a vulnerability report by emailing firstname.lastname@example.org using our PGP key below to encrypt sensitive information:Download ODA PGP Public key
In your report, please include details of:
- The version, architecture and configuration of the ODA SDK.
- A brief description of the type of vulnerability, for example, Buffer-Overflow Vulnerability.
- Steps to reproduce, including a proof-of-concept malformed file.
The Open Design Alliance security team ignores any message to email@example.com that does not relate to reporting or managing an undisclosed security vulnerability in Open Design Alliance software or that requires registration/login to external services to get information about a potential security vulnerability.
The Open Design Alliance security team considers vulnerabilities in ODA SDK products only described at https://www.opendesign.com/products.
Out of Scope
Open Design Alliance does not issue CVEs or fixes for Open Design Alliance software that is no longer supported (see EOL Policy).
If reported issues affect a third-party library or external project used in Open Design Alliance software, Open Design Alliance reserves the right to ask the researcher to contact third-party developers directly.
What to Expect from Us
We intend to provide an initial response to reporters within five business days.
Then the Open Design Alliance security team investigates and reproduces the vulnerability. If needed, we will request more information from the reporter.
Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail.
Use only our official channels to discuss vulnerability information with us.
Provide us with a reasonable amount of time (at least 90 days from the initial report) to resolve the issue before you disclose it publicly.
Perform testing only on in-scope systems, and respect systems and activities that are out of scope.
Open Design Alliance is committed to fixing vulnerabilities in a timely manner based upon the severity of the vulnerability. After the fix is available in published releases and a CVE ID is received, we intend to publish CVE details. We may publish CVE details before we provide fixes.
While we do not compensate researchers for identifying security vulnerabilities, we do recognize and mention you on security-advisories page for those who help keep our products safe by reporting security vulnerabilities responsibly in accordance with our Vulnerability Disclosure Policy.
Note: Open Design Alliance reserves the right to update the policy at any time.