At Echo, we value the security community and believe that responsible disclosure of security vulnerabilities in open source packages is essential to maintaining the overall security of the open source ecosystem.

We aim to provide a disclosure program for the security community to report security issues found within managed open source code. The program is designed to protect both the maintainer and the reporting researcher, allowing maintainers and developers who use open source code to safely benefit from the discovery of these vulnerabilities before public disclosure, while also crediting researchers for their dedication.

Vulnerability disclosure reporting process

1. Submission: Researchers and developers are invited to submit detailed reports outlining identified vulnerabilities in open source code.
2. Validation: Echo’s security team evaluates each report, assessing the validity of the claims and the severity of the associated risks.
3. Maintainer notification: Upon validation, Echo’s security team promptly contacts the owner or maintainer of the affected project through various channels.
4. Disclosure approach: Echo collaborates with the maintainer by providing vulnerability details, suggesting potential fixes, and establishing a mutually agreeable timeframe for public disclosure.
5. Public disclosure: Once a fix is available, Echo publicly discloses the vulnerability, acknowledging the researcher's contribution.
6. CVE Assignment: As a recognized CVE Central Naming Authority (CNA), Echo assigns a unique CVE identifier to the disclosed vulnerability.

Reporting vulnerabilities to Echo

Researchers can submit vulnerability reports to report@echohq.com and should contain the following details at minimum:

• Affected module
• Relevant package manager and ecosystem
• Vulnerability details
• Steps to reproduce

After receiving the report, Echo validates and documents each reported vulnerability prior to notifying the maintainer.

Vulnerability disclosures sent to Echo by email can also be encrypted using the following PGP key:

-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEaEAsvxYJKwYBBAHaRw8BAQdAnV1HzCNKF5eqVuIshKsheUdrAJA75MH4yD+N
97YBrKe0LkVjaG8gU2VjdXJpdHkgRGlzY2xvc3VyZSA8c2VjdXJpdHlAZWNob2hx
LmNvbT6IkwQTFgoAOxYhBFDt4M8kLN68rooAHhTmO+iVKj5CBQJoQCy/AhsDBQsJ
CAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEBTmO+iVKj5CXr8A/3RegG+KhzdZ
gXZVxqQb9zpgMMyglmWluhcIxmce4G3QAQChYsld23mDnAUn1InN9UKBXQksXQqE
LiOaIMUc1IjbDLg4BGhALL8SCisGAQQBl1UBBQEBB0Au8Njhpb5lslK2u+HLRuO2
KS6dSThFSHxeL1ZXD17mYQMBCAeIeAQYFgoAIBYhBFDt4M8kLN68rooAHhTmO+iV
Kj5CBQJoQCy/AhsMAAoJEBTmO+iVKj5CE+MBAKb5f1gMftLp0WEmvoHdCAvF9etS
yY+f8Qhmhdi2pNNNAPwNeL7n81QBKlZXkdFNIM2X89mKTHSFLT9w6R41KHc2Cg==
=pOhj
-----END PGP PUBLIC KEY BLOCK-----

Vulnerability validation

After validating a submitted vulnerability report, a security analyst will reach out to the submitter using the provided contact details. This communication acknowledges receipt of the report, discusses the vulnerability details, and confirms the assigned severity level.

Collaborating with package maintainers

Upon successful validation of the vulnerability report, Echo contacts the affected package's maintainer, sharing detailed vulnerability information to facilitate their internal resolution process.

Maintainers should acknowledge receipt of the vulnerability report as well as provide a point of contact for further coordination and their expected remediation timeline. Echo will then provide any additional information that would assist the maintainers in the development of a security fix. After this, the maintainers and Echo will collaborate on the public disclosure timeline.

Responsible disclosure timeline:

Echo adheres to a 90-day responsible disclosure timeframe in order to allow the maintainer ample time to develop and release a fix before the vulnerability is publicly disclosed. Extensions can be granted upon request, especially for critical vulnerabilities, to ensure a patch is readily available before public disclosure.

Day 30: Follow up

If Echo doesn’t receive an acknowledgement or response from the maintainer within 30 days, we resend the vulnerability details to the initial point of contact. Additionally, when available, echo will attempt to reach out to a secondary contact listed publicly.

Day 45: Escalation and disclosure consideration

If there's no response after an additional 15 days (total of 45 days), Echo may escalate the communication. This could involve re-sending the details to all previous contacts and potentially notifying relevant stakeholders or customers at our discretion.

Day 60: Public disclosure

If there's no response after another 15 days (total of 60 days), or if the maintainer expresses no desire to collaborate on disclosure, Echo may issue a public security advisory with no further collaboration.

Public disclosure

As part of the public disclosure phase, Echo will:

• Assign a CVE ID for public tracking
• Add the vulnerability to its public vulnerability database, sharing relevant information about the vulnerability and the related fix on its website

Validated reported vulnerabilities will be displayed below.