Responsible Disclosure Policy
Our mission at Veracode is to assist our customers to improve the overall security quality of their applications and eliminate the software vulnerabilities that continually put their businesses and partnerships at risk. As we help our customers become more secure, the privacy of their intellectual property and vulnerability information is our highest priority. A fundamental part of our role as a trusted security adviser to our customers is our commitment to being a responsible discloser of vulnerability information. However, we do not stop there. We are committed to acting each and every day as a good corporate citizen to all members of the software industry whether you are a buyer, a seller, or user of software. We are committed to responsible disclosure whether the owner of the effected intellectual property is a customer of Veracode or not. This document outlines how Veracode handles customer data, vulnerability information, and our policies on responsible disclosure to ensure that we maintain long-term trusted relationships.
Veracode will never disclose to any party the proprietary data that customers upload to our systems or the vulnerability information we produce from that proprietary data, without explicit permission from the owner of the data. This includes code and debug symbols, or the results of our analysis. The customer owns the results of their analysis.
If a customer wishes to disclose the results of a security review to another party or the public, Veracode will make summary information available on request from the customer.
During a customer security review, if we discover a vulnerability in code that is not owned by the customer, such as a vulnerability in a 3rd party library, Veracode, in coordination with our customer, will disclose the details of this vulnerability to the owner of the code and not publicly.
Non-Customer Vulnerability Disclosure
If Veracode discovers new vulnerability information in proprietary code that is not related to a Veracode customer, we will only disclose that information to the owner of the vulnerable code. We believe that the vendor of the effected code is best positioned to diagnose and repair the vulnerability. In addition, Veracode is committed to doing everything it can to assist the owner of the vulnerable code improve the level of security quality of that code.
Veracode will not publicly release the details of the vulnerabilities we discover in proprietary code. Nor will Veracode ever sell the vulnerability details.
Open Source Software
If Veracode discovers a vulnerability in open source software as part of a customer software analysis or a Veracode internal analysis we will notify the open source project and wait 45 days to allow the open source project to respond and/or remediate the vulnerability before making the results of our analysis available to our customers or the public.
Fruits of Vulnerability Research
Veracode performs vulnerability research on the core problems confronting secure software development. We strive to discover new vulnerability categories, vulnerability trends, and new ways to mitigate software vulnerabilities. In order for the security, vendor, and customer communities to benefit from our research we will make available papers or blog postings that describe the fruits of our research. In these general research releases we will strive to not make any single customer or single vendor more vulnerable.