Vulnerability Disclosure Policy

As a globally connected company, and a dedicated group of contributors to the free and open source software community, we at Obsidian Systems place a high value on the continued security and quality of our products and services. Our goal is to ensure that any sensitive information that may be controlled or accessed by our products and belonging to our customers and/or end users is never compromised due to software defects. However, no one can predict all possible vulnerabilities, so we have developed the following vulnerability disclosure policy to address cases where we have fallen short of that goal.

Policy Scope

Our disclosure policy covers any public, open licensed software released by Obsidian. This includes:

  • Reflex FRP and related non-third-party libraries
  • Obelisk
  • Nix packages maintained primarily by an Obsidian employee

Open licensed software dependencies of the above which are not released or maintained by Obsidian but by a third party, such as common programming language libraries or packages, are not covered. Please report vulnerabilities in such dependencies to the appropriate maintainers or authors.

Projects for certain clients which are not publicly released or open licensed are not covered. Vulnerabilities only affecting the production sites of an Obsidian client should be reported directly to that client, who may then, at their discretion, forward such reports to us.

Disclosure Process

Individuals or entities which have discovered security vulnerabilities covered under the scope defined above are termed researchers from the point of view of this policy. This does not mean you have to be a professional security researcher or expert to engage in this process. Researchers are encouraged to submit vulnerability reports to us as soon as possible when they have reasonable confidence that a specific security flaw exists and can provide actionable evidence, according to the following guidelines.

  • Reports should be emailed to in a plain text format. Accompanying proof of concept code or further documentation can be attached as a .tar.gz archive.
  • Reports must be written in English.
  • Clearly indicate which packages or products you believe are affected, and the tested version(s) with release number or Git hash.
  • Include details about the date and manner of discovery of the vulnerability.
  • If you intend to disclose information about the vulnerability publicly, then please inform us ahead of time.

You can expect us to respond as follows.

  • We will provide an initial response within three business days. Our internal security triage process will begin.
  • Once the vulnerability has been triaged, assigned a priority, and a fix has been estimated, we will send you an expected timeline for our remediation efforts. If further evaluation of the vulnerability is needed and other researchers have contacted us about the same issue, then we may contact you or put you in contact with other researchers.
  • Any issues or concerns that may arise during this process will be addressed with you directly in an open and fair manner.
  • We will notify you on our progress in fixing the vulnerability, and once a fix is released, we will publicly assign you and any other researchers appropriate credit (unless you explicitly inform us that you wish for your identity to remain confidential).

Our normal process includes publishing details about the vulnerability within 90 days of the first report. If the issue is severe and a fix is still not released within that time, then we may opt for a single further 90 day extension before publishing.

Researchers who follow the guidelines laid out in this policy and refrain from harming any property or exposing any confidential information of Obsidian or its clients can be assured that we will not initiate legal action against them in relation to the disclosure of a vulnerability. We strive to establish a cooperative, professional working relationship with all those who report security concerns to us in good faith.

Version History

  • v0.1-alpha created (in future: published) 2019-12-31