{"id":99935,"date":"2025-01-13T11:00:06","date_gmt":"2025-01-13T09:00:06","guid":{"rendered":"https:\/\/staging.checkmarx.com\/?page_id=99935"},"modified":"2026-03-20T15:54:55","modified_gmt":"2026-03-20T13:54:55","slug":"disclosure-policy","status":"publish","type":"page","link":"https:\/\/checkmarx.com\/zero\/disclosure-policy\/","title":{"rendered":"Disclosure Policy"},"content":{"rendered":"<p>This disclosure policy sets forth the standards and procedures for submission, review and publication of vulnerabilities identified by members of our security community to enable the open sharing of verified information in a responsible way to protect our community and their users. Reports submitted to <a href=\"mailto:oss-report@checkmarx.com\" type=\"mailto\" id=\"mailto:oss-report@checkmarx.com\">oss-report@checkmarx.com<\/a> will be reviewed and handled in accordance with this policy.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. <strong>Prerequisites<\/strong>\n<\/h2>\n\n\n\n<p>We will review vulnerabilities identified in libraries that meet the following prerequisites:<\/p>\n\n\n\n<p>1.1. The Code was released as an Open-Source Code and it is not proprietary code or a commercial license requiring payment.<\/p>\n\n\n\n<p>1.2. The Open-Source Code was developed by individuals and not by a commercial entity and is not related to any project or side-project of any commercial entity.<\/p>\n\n\n\n<p>1.3.The Open-Source Code is accompanied by, or obtained under, a license that details the terms and conditions governing the use of such Open-Source Code.<\/p>\n\n\n\n<p>1.4. The Open-Source Code license type does not require any modifications of the Open-Source Code to be distributed using the same license or a &#8220;compatible&#8221; license (known approved licenses include MIT, ISC and BSD). The OSS license terms and conditions can usually be found in a LICENSE.txt file.<\/p>\n\n\n\n<p>Note: Files within the Open-Source Code repository may have different licenses, therefore to make sure the repository meets these prerequisites, please run additional search for some common license-related terms such as, licen, redist, copyright, public or any common license fragments such as, MIT, GPL, BSD and Apache, for any Open-Source Code User intends to check.<\/p>\n\n\n\n<p>1.5. For more information regarding open source license types, User can visit <a href=\"https:\/\/opensource.org\/licenses\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/opensource.org\/licenses<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">2. <strong>Disclosure<\/strong>\n<\/h2>\n\n\n\n<p>Vulnerabilities identified by community members that meet the prerequisites above can be disclosed to <a href=\"mailto:oss-report@checkmarx.com\">oss-report@checkmarx.com.<\/a> A submitted vulnerability disclosure should contain the following required details:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Affected module<\/li>\n\n\n\n<li>Relevant package manager\/ecosystem<\/li>\n\n\n\n<li>Package link<\/li>\n\n\n\n<li>Vulnerability details<\/li>\n\n\n\n<li>Steps to reproduce<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">3. <strong>Testing and Validation<\/strong>\n<\/h2>\n\n\n\n<p>Prior to publishing a report on a disclosed vulnerability, Checkmarx researchers will validate the vulnerability as follows:<\/p>\n\n\n\n<p>3.1. The Open-Source Code will be tested on a separate production environment or on an external sandbox.<\/p>\n\n\n\n<p>3.2. Checkmarx may contact the user who submitted the disclosure to acknowledge receipt of the submission and discuss the details of the vulnerability.<\/p>\n\n\n\n<p>3.3. The user submitting the disclosure undertakes not to exploit, access or use any vulnerabilities detected in the Open-Source Code, in any way or for any other purpose other than for communicating with Checkmarx regarding the vulnerability, as detailed above.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">4. <strong>Publication of Report<\/strong>\n<\/h2>\n\n\n\n<p>After validating a vulnerability, Checkmarx will notify the maintainer of the applicable Open-Source Code, and prepare and publish a report on the vulnerability, according to the following procedure:<\/p>\n\n\n\n<p>4.1. Prior to creating a Vulnerability Report, Checkmarx shall notify the maintainer of the Open-Source Code, by email, of the vulnerability detected and any additional relevant information.<\/p>\n\n\n\n<p>4.2. The Maintainer will be given 90 days period, commencing on the date in which the Notification Email was sent to the Maintainer, to fix \/ patch the vulnerability detected, which period may be extended upon Maintainer\u2019s request.<\/p>\n\n\n\n<p>4.3. Upon receiving Maintainer\u2019s notification that the Vulnerability was remedied or following theexpiration of theRemediation Period (including any extension granted by Checkmarx), whichever is earlier, Checkmarx shall prepare a Vulnerability Report, assign a Common Vulnerabilities and Exposures (CVE) number for public tracking, and publish such report, together with any available remediation, at Checkmarx advisory website <a href=\"https:\/\/advisory.checkmarx.net\/\" target=\"_blank\" rel=\"noopener\">https:\/\/advisory.checkmarx.net\/<\/a>.<\/p>","protected":false},"excerpt":{"rendered":"<p>This disclosure policy sets forth the standards and procedures for submission, review and publication of vulnerabilities identified by members of our security community to enable the open sharing of verified information in a responsible way to protect our community and their users. Reports submitted to oss-report@checkmarx.com will be reviewed and handled in accordance with this [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"parent":99019,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"page-templates\/zero-legal.php","meta":{"_acf_changed":true,"footnotes":""},"class_list":["post-99935","page","type-page","status-publish","hentry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.1.1 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Disclosure Policy - Checkmarx<\/title>\n<meta name=\"description\" content=\"Read the Checkmarx Zero vulnerability disclosure policy and help us improve software security. View our responsible disclosure guidelines now.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/checkmarx.com\/zero\/disclosure-policy\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Disclosure Policy - Checkmarx\" \/>\n<meta property=\"og:description\" content=\"Read the Checkmarx Zero vulnerability disclosure policy and help us improve software security. View our responsible disclosure guidelines now.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/checkmarx.com\/zero\/disclosure-policy\/\" \/>\n<meta property=\"og:site_name\" content=\"Checkmarx\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\" \/>\n<meta property=\"article:modified_time\" content=\"2026-03-20T13:54:55+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@checkmarx\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/checkmarx.com\/zero\/disclosure-policy\/\",\"url\":\"https:\/\/checkmarx.com\/zero\/disclosure-policy\/\",\"name\":\"Disclosure Policy - Checkmarx\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/#website\"},\"datePublished\":\"2025-01-13T09:00:06+00:00\",\"dateModified\":\"2026-03-20T13:54:55+00:00\",\"description\":\"Read the Checkmarx Zero vulnerability disclosure policy and help us improve software security. View our responsible disclosure guidelines now.\",\"breadcrumb\":{\"@id\":\"https:\/\/checkmarx.com\/zero\/disclosure-policy\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/checkmarx.com\/zero\/disclosure-policy\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/checkmarx.com\/zero\/disclosure-policy\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Checkmarx Zero\",\"item\":\"https:\/\/checkmarx.com\/zero\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Disclosure Policy\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/checkmarx.com\/#website\",\"url\":\"https:\/\/checkmarx.com\/\",\"name\":\"Checkmarx\",\"description\":\"The world runs on code. We secure it.\",\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/checkmarx.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/checkmarx.com\/#organization\",\"name\":\"Checkmarx\",\"url\":\"https:\/\/checkmarx.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"width\":1,\"height\":1,\"caption\":\"Checkmarx\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\",\"https:\/\/x.com\/checkmarx\",\"https:\/\/www.youtube.com\/user\/CheckmarxResearchLab\",\"https:\/\/www.linkedin.com\/company\/checkmarx\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Disclosure Policy - Checkmarx","description":"Read the Checkmarx Zero vulnerability disclosure policy and help us improve software security. View our responsible disclosure guidelines now.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/checkmarx.com\/zero\/disclosure-policy\/","og_locale":"en_US","og_type":"article","og_title":"Disclosure Policy - Checkmarx","og_description":"Read the Checkmarx Zero vulnerability disclosure policy and help us improve software security. View our responsible disclosure guidelines now.","og_url":"https:\/\/checkmarx.com\/zero\/disclosure-policy\/","og_site_name":"Checkmarx","article_publisher":"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","article_modified_time":"2026-03-20T13:54:55+00:00","twitter_card":"summary_large_image","twitter_site":"@checkmarx","twitter_misc":{"Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/checkmarx.com\/zero\/disclosure-policy\/","url":"https:\/\/checkmarx.com\/zero\/disclosure-policy\/","name":"Disclosure Policy - Checkmarx","isPartOf":{"@id":"https:\/\/checkmarx.com\/#website"},"datePublished":"2025-01-13T09:00:06+00:00","dateModified":"2026-03-20T13:54:55+00:00","description":"Read the Checkmarx Zero vulnerability disclosure policy and help us improve software security. View our responsible disclosure guidelines now.","breadcrumb":{"@id":"https:\/\/checkmarx.com\/zero\/disclosure-policy\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/checkmarx.com\/zero\/disclosure-policy\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/checkmarx.com\/zero\/disclosure-policy\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Checkmarx Zero","item":"https:\/\/checkmarx.com\/zero\/"},{"@type":"ListItem","position":2,"name":"Disclosure Policy"}]},{"@type":"WebSite","@id":"https:\/\/checkmarx.com\/#website","url":"https:\/\/checkmarx.com\/","name":"Checkmarx","description":"The world runs on code. We secure it.","publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/checkmarx.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/checkmarx.com\/#organization","name":"Checkmarx","url":"https:\/\/checkmarx.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","width":1,"height":1,"caption":"Checkmarx"},"image":{"@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","https:\/\/x.com\/checkmarx","https:\/\/www.youtube.com\/user\/CheckmarxResearchLab","https:\/\/www.linkedin.com\/company\/checkmarx"]}]}},"_links":{"self":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/pages\/99935","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/comments?post=99935"}],"version-history":[{"count":0,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/pages\/99935\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/pages\/99019"}],"wp:attachment":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media?parent=99935"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}