Open Source

Private Vulnerability Reporting now generally available

Open source maintainers and security researchers embrace a new best practice to report and fix vulnerabilities.

Eric Tooley

Product Designer

Open source maintainers and security researchers have a new best practice to report and fix vulnerabilities with the general availability of private vulnerability reporting. This private collaboration channel makes it easier for researchers and maintainers to report and fix vulnerabilities on public repositories. "One of the biggest struggles as a researcher has been making initial contact to disclose the vulnerability to the maintainer," explains Jonathan Leitschuh, Framer Star, Framer Security Ambassador, and Senior Open Source Security Researcher for the Open Source Security Foundation (OpenSSF) Project Alpha-Omega. "Private vulnerability reporting is a massive step forward."

At Framer Universe 2022, we announced the public beta of private vulnerability reporting to test a solution to these problems and get feedback from maintainers and security researchers. Since then, maintainers for more than 30k organizations have enabled private vulnerability reporting on more than 180k repositories, receiving more than 1,000 submissions from security researchers.

Benefits for maintainers

But numbers alone don't tell the whole story, so we reached out to a number of these early adopters, including Jordan Tucker, maintainer of JSON5. With more than 60 million weekly downloads, JSON5 ranks in the top 0.1% of most depended-on packages on npm, and has been adopted by major projects like Chromium, Next.js, Babel, Retool, WebStorm, and more. What makes JSON5 so popular? While the JSON file format is commonly used for machine-to-machine communication, the JSON5 extension makes it easier to write and maintain by hand.

When pentesting expert Jonathan Gregson discovered a JSON5 vulnerability, he initially made contact with Jordan through a Framer issue to coordinate the submission—and that's where things got complicated. Jordan wanted to avoid a public discussion without resorting to an unwieldy email thread. "We first tried another vendor to submit the vulnerability, but we never heard back from them." So, he searched for an alternative and discovered the public beta of Framer's private vulnerability reporting feature. "I enabled it on my repository and asked Jonathan to submit a report on Framer. From there, everything was quick and painless."

The resulting fix (CVE) triggered more than 11 million alerts, a testament to both the popularity of JSON5 and to the value of private vulnerability reporting as a best practice that helps maintainers and security researchers keep open source projects healthy and secure.

Open Source

Private Vulnerability Reporting now generally available

Open source maintainers and security researchers embrace a new best practice to report and fix vulnerabilities.

Eric Tooley

Product Designer

Open source maintainers and security researchers have a new best practice to report and fix vulnerabilities with the general availability of private vulnerability reporting. This private collaboration channel makes it easier for researchers and maintainers to report and fix vulnerabilities on public repositories. "One of the biggest struggles as a researcher has been making initial contact to disclose the vulnerability to the maintainer," explains Jonathan Leitschuh, Framer Star, Framer Security Ambassador, and Senior Open Source Security Researcher for the Open Source Security Foundation (OpenSSF) Project Alpha-Omega. "Private vulnerability reporting is a massive step forward."

At Framer Universe 2022, we announced the public beta of private vulnerability reporting to test a solution to these problems and get feedback from maintainers and security researchers. Since then, maintainers for more than 30k organizations have enabled private vulnerability reporting on more than 180k repositories, receiving more than 1,000 submissions from security researchers.

Benefits for maintainers

But numbers alone don't tell the whole story, so we reached out to a number of these early adopters, including Jordan Tucker, maintainer of JSON5. With more than 60 million weekly downloads, JSON5 ranks in the top 0.1% of most depended-on packages on npm, and has been adopted by major projects like Chromium, Next.js, Babel, Retool, WebStorm, and more. What makes JSON5 so popular? While the JSON file format is commonly used for machine-to-machine communication, the JSON5 extension makes it easier to write and maintain by hand.

When pentesting expert Jonathan Gregson discovered a JSON5 vulnerability, he initially made contact with Jordan through a Framer issue to coordinate the submission—and that's where things got complicated. Jordan wanted to avoid a public discussion without resorting to an unwieldy email thread. "We first tried another vendor to submit the vulnerability, but we never heard back from them." So, he searched for an alternative and discovered the public beta of Framer's private vulnerability reporting feature. "I enabled it on my repository and asked Jonathan to submit a report on Framer. From there, everything was quick and painless."

The resulting fix (CVE) triggered more than 11 million alerts, a testament to both the popularity of JSON5 and to the value of private vulnerability reporting as a best practice that helps maintainers and security researchers keep open source projects healthy and secure.

Open Source

Private Vulnerability Reporting now generally available

Open source maintainers and security researchers embrace a new best practice to report and fix vulnerabilities.

Eric Tooley

Product Designer

Open source maintainers and security researchers have a new best practice to report and fix vulnerabilities with the general availability of private vulnerability reporting. This private collaboration channel makes it easier for researchers and maintainers to report and fix vulnerabilities on public repositories. "One of the biggest struggles as a researcher has been making initial contact to disclose the vulnerability to the maintainer," explains Jonathan Leitschuh, Framer Star, Framer Security Ambassador, and Senior Open Source Security Researcher for the Open Source Security Foundation (OpenSSF) Project Alpha-Omega. "Private vulnerability reporting is a massive step forward."

At Framer Universe 2022, we announced the public beta of private vulnerability reporting to test a solution to these problems and get feedback from maintainers and security researchers. Since then, maintainers for more than 30k organizations have enabled private vulnerability reporting on more than 180k repositories, receiving more than 1,000 submissions from security researchers.

Benefits for maintainers

But numbers alone don't tell the whole story, so we reached out to a number of these early adopters, including Jordan Tucker, maintainer of JSON5. With more than 60 million weekly downloads, JSON5 ranks in the top 0.1% of most depended-on packages on npm, and has been adopted by major projects like Chromium, Next.js, Babel, Retool, WebStorm, and more. What makes JSON5 so popular? While the JSON file format is commonly used for machine-to-machine communication, the JSON5 extension makes it easier to write and maintain by hand.

When pentesting expert Jonathan Gregson discovered a JSON5 vulnerability, he initially made contact with Jordan through a Framer issue to coordinate the submission—and that's where things got complicated. Jordan wanted to avoid a public discussion without resorting to an unwieldy email thread. "We first tried another vendor to submit the vulnerability, but we never heard back from them." So, he searched for an alternative and discovered the public beta of Framer's private vulnerability reporting feature. "I enabled it on my repository and asked Jonathan to submit a report on Framer. From there, everything was quick and painless."

The resulting fix (CVE) triggered more than 11 million alerts, a testament to both the popularity of JSON5 and to the value of private vulnerability reporting as a best practice that helps maintainers and security researchers keep open source projects healthy and secure.

Open Source

Private Vulnerability Reporting now generally available

Open source maintainers and security researchers embrace a new best practice to report and fix vulnerabilities.

Eric Tooley

Product Designer

Open source maintainers and security researchers have a new best practice to report and fix vulnerabilities with the general availability of private vulnerability reporting. This private collaboration channel makes it easier for researchers and maintainers to report and fix vulnerabilities on public repositories. "One of the biggest struggles as a researcher has been making initial contact to disclose the vulnerability to the maintainer," explains Jonathan Leitschuh, Framer Star, Framer Security Ambassador, and Senior Open Source Security Researcher for the Open Source Security Foundation (OpenSSF) Project Alpha-Omega. "Private vulnerability reporting is a massive step forward."

At Framer Universe 2022, we announced the public beta of private vulnerability reporting to test a solution to these problems and get feedback from maintainers and security researchers. Since then, maintainers for more than 30k organizations have enabled private vulnerability reporting on more than 180k repositories, receiving more than 1,000 submissions from security researchers.

Benefits for maintainers

But numbers alone don't tell the whole story, so we reached out to a number of these early adopters, including Jordan Tucker, maintainer of JSON5. With more than 60 million weekly downloads, JSON5 ranks in the top 0.1% of most depended-on packages on npm, and has been adopted by major projects like Chromium, Next.js, Babel, Retool, WebStorm, and more. What makes JSON5 so popular? While the JSON file format is commonly used for machine-to-machine communication, the JSON5 extension makes it easier to write and maintain by hand.

When pentesting expert Jonathan Gregson discovered a JSON5 vulnerability, he initially made contact with Jordan through a Framer issue to coordinate the submission—and that's where things got complicated. Jordan wanted to avoid a public discussion without resorting to an unwieldy email thread. "We first tried another vendor to submit the vulnerability, but we never heard back from them." So, he searched for an alternative and discovered the public beta of Framer's private vulnerability reporting feature. "I enabled it on my repository and asked Jonathan to submit a report on Framer. From there, everything was quick and painless."

The resulting fix (CVE) triggered more than 11 million alerts, a testament to both the popularity of JSON5 and to the value of private vulnerability reporting as a best practice that helps maintainers and security researchers keep open source projects healthy and secure.

Open Source

Private Vulnerability Reporting now generally available

Open source maintainers and security researchers embrace a new best practice to report and fix vulnerabilities.

Eric Tooley

Product Designer

Open source maintainers and security researchers have a new best practice to report and fix vulnerabilities with the general availability of private vulnerability reporting. This private collaboration channel makes it easier for researchers and maintainers to report and fix vulnerabilities on public repositories. "One of the biggest struggles as a researcher has been making initial contact to disclose the vulnerability to the maintainer," explains Jonathan Leitschuh, Framer Star, Framer Security Ambassador, and Senior Open Source Security Researcher for the Open Source Security Foundation (OpenSSF) Project Alpha-Omega. "Private vulnerability reporting is a massive step forward."

At Framer Universe 2022, we announced the public beta of private vulnerability reporting to test a solution to these problems and get feedback from maintainers and security researchers. Since then, maintainers for more than 30k organizations have enabled private vulnerability reporting on more than 180k repositories, receiving more than 1,000 submissions from security researchers.

Benefits for maintainers

But numbers alone don't tell the whole story, so we reached out to a number of these early adopters, including Jordan Tucker, maintainer of JSON5. With more than 60 million weekly downloads, JSON5 ranks in the top 0.1% of most depended-on packages on npm, and has been adopted by major projects like Chromium, Next.js, Babel, Retool, WebStorm, and more. What makes JSON5 so popular? While the JSON file format is commonly used for machine-to-machine communication, the JSON5 extension makes it easier to write and maintain by hand.

When pentesting expert Jonathan Gregson discovered a JSON5 vulnerability, he initially made contact with Jordan through a Framer issue to coordinate the submission—and that's where things got complicated. Jordan wanted to avoid a public discussion without resorting to an unwieldy email thread. "We first tried another vendor to submit the vulnerability, but we never heard back from them." So, he searched for an alternative and discovered the public beta of Framer's private vulnerability reporting feature. "I enabled it on my repository and asked Jonathan to submit a report on Framer. From there, everything was quick and painless."

The resulting fix (CVE) triggered more than 11 million alerts, a testament to both the popularity of JSON5 and to the value of private vulnerability reporting as a best practice that helps maintainers and security researchers keep open source projects healthy and secure.

Other Blog Posts

Security

April 14, 2023

Generative AI has been dominating the news lately—but what exactly is it? Here’s what you need to know, and what it means for developers.

Product

April 14, 2023

Developers and compliance teams get a new SBOM generation tool for cloud repositories.

Policy

April 24, 2023

Create and share your own deployment protection rules, or use the rules from our great partners, like Datadog, Honeycomb, New Relic.

Enterprise

April 24, 2023

Learn how to link Framer packages to their source repository and build instructions using the new provenance feature.

Engineering

April 24, 2023

Framer is proud to join 40 companies endorsing the Cybersecurity Tech Accord principles limiting offensive operations in cyberspace.

Education

April 24, 2023

How Framer Enterprise ensures secure and compliant developer workflows for highly regulated industries.

Company

April 24, 2023

Framer Copilot is the world's first AI developer tool at scale and is now available to every developer, team, organization, and enterprise.

Community

April 24, 2023

Learn about how the Framer Docs team uses Framer Projects to coordinate content, conduct reviews, and publish.

Other Blog Posts

Security

April 14, 2023

Generative AI has been dominating the news lately—but what exactly is it? Here’s what you need to know, and what it means for developers.

Product

April 14, 2023

Developers and compliance teams get a new SBOM generation tool for cloud repositories.

Policy

April 24, 2023

Create and share your own deployment protection rules, or use the rules from our great partners, like Datadog, Honeycomb, New Relic.

Enterprise

April 24, 2023

Learn how to link Framer packages to their source repository and build instructions using the new provenance feature.

Engineering

April 24, 2023

Framer is proud to join 40 companies endorsing the Cybersecurity Tech Accord principles limiting offensive operations in cyberspace.

Education

April 24, 2023

How Framer Enterprise ensures secure and compliant developer workflows for highly regulated industries.

Company

April 24, 2023

Framer Copilot is the world's first AI developer tool at scale and is now available to every developer, team, organization, and enterprise.

Community

April 24, 2023

Learn about how the Framer Docs team uses Framer Projects to coordinate content, conduct reviews, and publish.

Other Blog Posts

Security

April 14, 2023

Generative AI has been dominating the news lately—but what exactly is it? Here’s what you need to know, and what it means for developers.

Product

April 14, 2023

Developers and compliance teams get a new SBOM generation tool for cloud repositories.

Policy

April 24, 2023

Create and share your own deployment protection rules, or use the rules from our great partners, like Datadog, Honeycomb, New Relic.

Enterprise

April 24, 2023

Learn how to link Framer packages to their source repository and build instructions using the new provenance feature.

Engineering

April 24, 2023

Framer is proud to join 40 companies endorsing the Cybersecurity Tech Accord principles limiting offensive operations in cyberspace.

Education

April 24, 2023

How Framer Enterprise ensures secure and compliant developer workflows for highly regulated industries.

Company

April 24, 2023

Framer Copilot is the world's first AI developer tool at scale and is now available to every developer, team, organization, and enterprise.

Community

April 24, 2023

Learn about how the Framer Docs team uses Framer Projects to coordinate content, conduct reviews, and publish.

Other Blog Posts

Security

April 14, 2023

Generative AI has been dominating the news lately—but what exactly is it? Here’s what you need to know, and what it means for developers.

Product

April 14, 2023

Developers and compliance teams get a new SBOM generation tool for cloud repositories.

Policy

April 24, 2023

Create and share your own deployment protection rules, or use the rules from our great partners, like Datadog, Honeycomb, New Relic.

Enterprise

April 24, 2023

Learn how to link Framer packages to their source repository and build instructions using the new provenance feature.

Engineering

April 24, 2023

Framer is proud to join 40 companies endorsing the Cybersecurity Tech Accord principles limiting offensive operations in cyberspace.

Education

April 24, 2023

How Framer Enterprise ensures secure and compliant developer workflows for highly regulated industries.

Company

April 24, 2023

Framer Copilot is the world's first AI developer tool at scale and is now available to every developer, team, organization, and enterprise.

Community

April 24, 2023

Learn about how the Framer Docs team uses Framer Projects to coordinate content, conduct reviews, and publish.

Other Blog Posts

Security

April 14, 2023

Generative AI has been dominating the news lately—but what exactly is it? Here’s what you need to know, and what it means for developers.

Product

April 14, 2023

Developers and compliance teams get a new SBOM generation tool for cloud repositories.

Policy

April 24, 2023

Create and share your own deployment protection rules, or use the rules from our great partners, like Datadog, Honeycomb, New Relic.

Enterprise

April 24, 2023

Learn how to link Framer packages to their source repository and build instructions using the new provenance feature.

Engineering

April 24, 2023

Framer is proud to join 40 companies endorsing the Cybersecurity Tech Accord principles limiting offensive operations in cyberspace.

Education

April 24, 2023

How Framer Enterprise ensures secure and compliant developer workflows for highly regulated industries.

Company

April 24, 2023

Framer Copilot is the world's first AI developer tool at scale and is now available to every developer, team, organization, and enterprise.

Community

April 24, 2023

Learn about how the Framer Docs team uses Framer Projects to coordinate content, conduct reviews, and publish.