This project hosts security advisories and their accompanying proof-of-concepts related to research conducted at Socket which impact non-Socket owned code.

We believe that vulnerability disclosure is a two-way street. Vendors, as well as researchers, must act responsibly. This is why Socket adheres to a 90-day disclosure deadline. We notify vendors of vulnerabilities immediately, with details shared in public with the defensive community after 90 days, or sooner if the vendor releases a fix.

You can read up on our full policy at: https://socket.dev/security/outbound_vulnerability_disclosure.

The disclosure of vulnerabilities are all in the form of security advisories, which can be browsed in the Security Advisories page.

The advisories and patches posted here are free and open source.

See LICENSE for further details.

The easiest way to contribute to our security research projects is to correct the patches when you see mistakes.

This repository was inspired by Google/security-research.