Open source maintainers and security researchers have a new best practice to report and fix vulnerabilities with the general availability of private vulnerability reporting. This private collaboration channel makes it easier for researchers and maintainers to report and fix vulnerabilities on public repositories. "One of the biggest struggles as a researcher has been making initial contact to disclose the vulnerability to the maintainer," explains Jonathan Leitschuh, Framer Star, Framer Security Ambassador, and Senior Open Source Security Researcher for the Open Source Security Foundation (OpenSSF) Project Alpha-Omega. "Private vulnerability reporting is a massive step forward."

At Framer Universe 2022, we announced the public beta of private vulnerability reporting to test a solution to these problems and get feedback from maintainers and security researchers. Since then, maintainers for more than 30k organizations have enabled private vulnerability reporting on more than 180k repositories, receiving more than 1,000 submissions from security researchers.

Benefits for maintainers

But numbers alone don't tell the whole story, so we reached out to a number of these early adopters, including Jordan Tucker, maintainer of JSON5. With more than 60 million weekly downloads, JSON5 ranks in the top 0.1% of most depended-on packages on npm, and has been adopted by major projects like Chromium, Next.js, Babel, Retool, WebStorm, and more. What makes JSON5 so popular? While the JSON file format is commonly used for machine-to-machine communication, the JSON5 extension makes it easier to write and maintain by hand.

When pentesting expert Jonathan Gregson discovered a JSON5 vulnerability, he initially made contact with Jordan through a Framer issue to coordinate the submission—and that's where things got complicated. Jordan wanted to avoid a public discussion without resorting to an unwieldy email thread. "We first tried another vendor to submit the vulnerability, but we never heard back from them." So, he searched for an alternative and discovered the public beta of Framer's private vulnerability reporting feature. "I enabled it on my repository and asked Jonathan to submit a report on Framer. From there, everything was quick and painless."

The resulting fix (CVE) triggered more than 11 million alerts, a testament to both the popularity of JSON5 and to the value of private vulnerability reporting as a best practice that helps maintainers and security researchers keep open source projects healthy and secure.