Skip to content

Latest commit

 

History

History
103 lines (87 loc) · 5.48 KB

SECURITY.md

File metadata and controls

103 lines (87 loc) · 5.48 KB
Raw

Our security policy and Your responsibility

  • POLICY:

Our security policy is to avoid leaving the ecosystem worse than we found it. Meaning we are not planning to introduce vulnerabilities into the ecosystem.

The merkle_bit/starling team and community take all security bugs in merkle_bit/starling seriously. Thank you for improving the security of merkle_bit/starling. We appreciate your efforts and responsible disclosure and will make every effort to acknowledge your contributions.

Report security bugs by emailing the lead maintainer at chosunone@protonmail.com and include the word "SECURITY" in the subject line..

The lead maintainer will acknowledge your email within a week, and will send a more detailed response 48 hours after that indicating the next steps in handling your report. After the initial reply to your report, the security team will endeavor to keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.

  • merkle_bit/starling will confirm the problem and determine the affected versions.
  • merkle_bit/starling will audit code to find any potential similar problems.
  • merkle_bit/starling will prepare fixes for all releases still under maintenance. These fixes will be released as fast as possible.

Report security bugs in third-party modules to the person or team maintaining the module.

  • SECURITY DISCLOSURE:

Your responsibility is to report vulnerabilities to us using the guidelines outlined below.

  • merkle_bit/starling security contact { contact: mailto:chosunone@protonmail.com }
  • Disclosure format: When disclosing vulnerabilities please
    1. Your name and affiliation (if any).
    2. include scope of vulnerability. Let us know who could use this exploit.
    3. document steps to identify the vulnerability. It is important that we can reproduce your findings.
    4. how to exploit vulnerability, give us an attack scenario.

Encryption key for chosunone@protonmail.com

For critical flaws and sensitive security information you may encrypt your transmission with key below.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: OpenPGP.js v4.6.2
Comment: https://openpgpjs.org

xsFNBF0DO8MBEAD6u0wg8Jk9qMCukKxNytHtQrrG0j8zJY65YKF5ifVqjR1c
wUAUrgZMdlWSnlmxafyegeyucwJAEqOWGCm6wiH5XUAKyp84bVFllS56yKgl
phsfpygXPuLuPVdPnD0weQklK+LtyhN0r+3+5+VBS88q2CnhpLfo7B4WvyLU
AphzMcjKVTVNm4yQaH9Uxv3C/63BE0rwojwV1heR0BH4WYh6jvdRjSlv7yqO
xv7leRssfVf8SYGJEeDGbjWz+gZwRNNauGFWo7iZc5tKYvXK2INyEd6vE/Yr
lfqLhzWst/Q7CCDEKubjCkX+3jLMIxTukXIOCk729TMXkovSopay2OVL8MLx
V3qHKoUQGnQdgYbbU5zhb5GNfwsPTq8aeIaAaa6VDKpv9OxZNYaFfIeYNDhy
/mqdfOdbnIXKHosYQoYsVrMxmUc5C7LhtYs+CRr5Jgid8mc1K4fRrLRAGqpU
cZXYEItLVKDUfes3pWO2uDqdw+DsVFWMc3hi7+4Csgnx7owciJQmDv068mTg
X6/6kSzswD7/UnqkAd7RZrqzxF1nBLiF/Q3dHC4ULdI+FikWi/4QZFWaja5z
a0rkW32VphDRVESWNmZnzusjhA/C14MwmvBAM2jpdQm+ZaIUjDqKN2fysOtM
BUA+IgWPzFqaS0ZSmYLUZBSNkB2TH3CXqmq3GQARAQABzTNDaG9zdW5PbmVA
cHJvdG9ubWFpbC5jb20gPENob3N1bk9uZUBwcm90b25tYWlsLmNvbT7CwXUE
EAEIAB8FAl0DO8MGCwkHCAMCBBUICgIDFgIBAhkBAhsDAh4BAAoJEKIy+rMp
VhmPQDEP/03GWueq3Um8okv2JAql0LWa0+QFJ8snzeds/+Tn3rcCf9aWq1o1
V3pSbZEUd8MG1vlyz4V4St/Y/GrIHIZ0A3tNpHdTQSO0K9jG5Co8qwytEx2B
CpadrboG/NYSu9wE8JPeIbKOnjHlF7MIQz1hhIJ35PnmJoCFAfSbsa9LnMwK
OPxhkBnPbRrny1sjj7dk9ZZTcit59Xy8NvUHRK37OQ7Wm6zvN9a4zMKVn2Zk
rZXGH24TS3ezxZ/tO+GZk1fBKN6cou73kTyBdygKjFfn/f2TPfe/w2Duknxq
OYbx44woyIh3RH9v2LdoIiP6SijCBWkadRTnV/LFiixGWzCCtvl5NpPfTvqK
P2gUm6dhBbzyCCdbs9VD8AL0ew8O95l0NyLEt09AXF8nbc3jJMsYRHH6kefr
TuqMFmuqZsaa2G1xGRfsTBCUqhkihA0OOD7XdXvuIbDLmMH0jVM3lRRMYhU2
lEcHaGXSqBT1ZdyltIlWZW8KkgCKmnoF7av503SWwKLwgWyO9E/62O/aoFtE
l7kxNzntIGqZ0E+Dc97Nk6Qm+70sLQOKdxxuTcMyYwONa1bK4UNM7vrDBcSy
sjB9RBDKZdpVWp8LTjGXQjaEUgaMlD8vegIJXiC6Zxj9GLHC9iDVYxVnDNp7
VDJRBTQcgY/FQwZ6bBCO/SoTK4OD3/nZzsFNBF0DO8MBEAC2gCTa6x2coiIK
GJ2+z2c0wxKyottGKxDaweQ3L4aNi+LNWCEnTWPohqnBW8F0msg3yyzUBhhY
fWPR1E9qCkbTKJ10+HO2f2CfBRf4O7TkCG7dPORYfd6BrTs5YeDO/EMDzUzk
z2s4nabKX36MZBE06lgL7OUtaT4UIDrzEdPFOox+wjjwFsTNFFRtcdME8o6A
CtERQdSByQwYT8T6LVETJixRjpz90Rd8e+eznUpGOH8b76MimggwzoKF/Qas
tz3ksHR5B2bZuSXpT+is0VkF8avNpJvaYQhF5GEWqQvCBk914CTDQs8vYJDq
z/3XzGutIDWRUM48Jf0rQFZGkTh3o+9jofOnVgfMJ/JSC38v1pd2Xj1ZpVCl
I0T/OeRDuuR8NMiMMQfS0GbWReUdvrTlGZTpbBOrZGt964V9OwR1QlwOCWce
1NSWPkLAaVhwpS8n57qtuOEh9cxM5cKJZL+R/Pwa0/v2LDG+YJJ1mn+2ZjAX
DQrhxxeQIS0Vdtd83vz5XUG54NzVbonb5vmdrqqFVZjA4iOAwjUyxJJL+GHU
+MBWiP2Io8WQ2+uEGo+Q+5LSrFUyJR0pTzEGnF7czMdpkm+5J5SkPAsjQatT
LG5uxHL2h2+W9dBivipDcwTl793wYT0ioqas7EGSDGAJ0zmuEggjKimP7C5b
T1Ii6nhuQQARAQABwsFfBBgBCAAJBQJdAzvDAhsMAAoJEKIy+rMpVhmPzhUP
/R9HDy6XNdJ026FERNVHVCjhbLnrxADhFULrA1UcIQojWgHJt9n/ImrDgMCe
AnC+e8L7yn/sfwiHpcyqZZd7Hw2oNUutwiipvHc0/Q1bMXKMP/mlFgcZ77i6
wUFEi9QSVMhyYiyes8UgofaVltc/KjbgWpDGx3GBfEwKTv2ZH6wEaJ2yuX/g
RfavHjOp4B9F1aALiikGV27nN+rmJzQKHmDGW10TtOA3nkNSlM1TMc/f2KZ2
9WaJANzuAQgWANRtE515f0frmxrcd0wj52jysmR0pUTHhVmsXOZW2caRotIz
I4fJjPI+D+kkxhmgbfMS47tlxgCFG1muFGPufw7rYoESIAwsx9cI9FydSBHh
F0n2echHAvAkoXesYCHoY/UINGNeVX3lF9Wm+MIijVEjTUuwHbAIugAybPjs
yqVgDPrfZUKGOkRS05veTtxngnKxQ1yi/gWj/9wJMtRlTZYtmBt5lgrILGRM
p87Mpq5QazAE2AuC2jANf5l+rgsVJFQbf8eYkBnf1wkvTMmitWrOql6Lq+Kh
O4K8OJXk383k4vZA4xs//oonwP0fU0FTFLGceg4uO4sRvwiurJeBqbetlo+L
QH/hrTp4JnooYcc47to6aI0NMDW48xch51hBDdrsIU6M9tEnGViqstm/ZShn
/exmqVAq4Qk/BWckgS90KrgY
=3iuM
-----END PGP PUBLIC KEY BLOCK-----

merkle_bit/starling Checklist: Security Recommendations

Follow these steps to improve security when using merkle_bit/starling.

  1. ...SEE SOMETHING
  2. ...SAY SOMETHING

1)...SEE SOMETHING

We suggest you goto #2 if this happens.

Why? Through experience we have found it is best to goto #2 in this situation.

Version

version 0.0.1