Terms and policies

Learn more about Chainguard policies and our legal documents.

Coordinated Vulnerability Handling Policy

Last update: May 22, 2026

Purpose

The Chainguard Coordinated Vulnerability Disclosure Policy defines how Chainguard handles vulnerability coordination and disclosure when (1) Chainguard discovers non-public vulnerabilities in third-party projects and (2) embargoed vulnerabilities are reported to Chainguard from external third-parties. In all cases, Chainguard aims to share details publicly no later than ninety (90) calendar days from the notice date to minimize harm to the ecosystem. 

Non-Public Vulnerability 

When Chainguard discovers a non-public vulnerability in third-party software, Chainguard immediately reports the vulnerability to the maintainer following the maintainer’s security policy and keeping the details private if possible. 

  • Chainguard aims to share full details publicly ninety (90) calendar days from the notice date, or earlier if the maintainer releases a fix before that date. 

  • If the maintainer notifies Chainguard that a fix is scheduled for release within fourteen (14) calendar days after the ninety (90) calendar day deadline, disclosure will be delayed until the fix is available. If the fix is not published within those fourteen (14) calendar days, disclosure proceeds unless extreme circumstances apply.

  • If the maintainer refuses, is unable to fix, disputes that it is a vulnerability, or does not respond within this timeframe with a confirmed intent to fix, Chainguard may disclose immediately. 

Embargoed Vulnerability 

Embargoed Vulnerabilities are a subset of non-public vulnerabilities where there is a specific, agreed-upon restriction on disclosure. Reporters, Chainguard, and upstream maintainers should agree on a reasonable timeline to resolve the issue before public disclosure. Unless we determine a compelling security-related reason otherwise, we aim to share details publicly after ninety (90) calendar days from the date the vulnerability is reported.

We commit to:

  • Timely initial response and active communication throughout the coordination process;

  • Remediation of confirmed vulnerabilities with commercially reasonable efforts, or in accordance with our CVE SLA, as applicable;

  • Implementing industry-standard mechanisms for the secure transmission, storage, and access of Embargoed Vulnerability information; and 

  • Transparency when further embargoed coordination is required to effectively deliver a fix.

Shortened Disclosure Timelines

In all cases, Chainguard reserves the right to shorten the public disclosure timelines above if a vulnerability is discovered to be under active exploitation (a “0-day”), details are already publicly known through other channels, in other exceptional situations (e.g., a new class of vulnerabilities requiring extraordinary coordination, e.g. with Meltdown/Spectre), or as required under applicable law. In any case, we will notify the reporter of any changes to the disclosure timeline and continue to coordinate throughout the process to reduce harm.

Contacting Us

This policy is primarily designed to minimize harm to downstream users and upstream maintainers, both in its application on the micro-scale, for individual disclosures, and the macro-scale, across all disclosures. We believe this policy does so, while also respecting the needs of both maintainers and researchers. If you have any questions, please contact Chainguard’s Product Security Team at security@chainguard.dev. 

Version241924

If you entered into an Order prior to May 22, 2026, you can find your applicable terms here-

https://www.chainguard.dev/legal/outbound-vulnerability-disclosure-policy-241924