Update SECURITY.md (#93)

Signed-off-by: Thane Thomson <connect@thanethomson.com>

SECURITY.md

@@ -1,55 +1,33 @@
-# Coordinated Vulnerability Disclosure Policy
+# How to Report a Security Bug
 
-The Cosmos ecosystem believes that strong security is a blend of highly technical security researchers
-who care about security and the forward progression of the ecosystem and the attentiveness and
-openness of Cosmos core contributors to help continually secure our operations.
+If you believe you have found a security vulnerability in the Interchain Stack,
+you can report it to our primary vulnerability disclosure channel, the [Cosmos
+HackerOne Bug Bounty program][h1].
 
-> **IMPORTANT**: *DO NOT* open public issues on this repository for security vulnerabilities.
+If you prefer to report an issue via email, you may send a bug report to
+<security@interchain.io> with the issue details, reproduction, impact, and other
+information. Please submit only one unique email thread per vulnerability. Any
+issues reported via email are ineligible for bounty rewards.
 
-## Scope
+Artifacts from an email report are saved at the time the email is triaged.
+Please note: our team is not able to monitor dynamic content (e.g. a Google Docs
+link that is edited after receipt) throughout the lifecycle of a report. If you
+would like to share additional information or modify previous information,
+please include it in an additional reply as an additional attachment.
 
-| Scope                 |
-|-----------------------|
-| last release (tagged) |
-| main branch           |
+Please **DO NOT** file a public issue in this repository to report a security
+vulnerability.
 
-The latest **release tag** of this repository is supported for security updates as well as the **main** branch.
-Security vulnerabilities should be reported if the vulnerability can be reproduced on either one of those.
+## Coordinated Vulnerability Disclosure Policy and Safe Harbor
 
-## Reporting a Vulnerability
+For the most up-to-date version of the policies that govern vulnerability
+disclosure, please consult the [HackerOne program page][h1-policy].
 
-| Reporting methods                                                 |
-|-------------------------------------------------------------------|
-| [GitHub Private Vulnerability Reporting](https://github.com/cometbft/cometbft-db/security/advisories/new) |
-| [HackerOne bug bounty program](https://hackerone.com/cosmos)      |
+The policy hosted on HackerOne is the official Coordinated Vulnerability
+Disclosure policy and Safe Harbor for the Interchain Stack, and the teams and
+infrastructure it supports, and it supersedes previous security policies that
+have been used in the past by individual teams and projects with targets in
+scope of the program.
 
-All security vulnerabilities can be reported under GitHub's [Private vulnerability reporting](https://github.com/cometbft/cometbft-db/security/advisories/new) system.
-This will open a private issue for the developers. Try to fill in as much of the questions as possible. If you are not familiar
-with the CVSS system for assessing vulnerabilities, just use the Low/High/Critical severity ratings. A partially filled in report
-for a critical vulnerability is still better than no report at all.
-
-Vulnerabilities associated with the **Go, Rust or Protobuf code** of the repository may be eligible for a [bug bounty](https://hackerone.com/cosmos).
-Please see the bug bounty page for more details on submissions and rewards. If you think the vulnerability is eligible for a payout,
-**report on HackerOne first**.
-
-Vulnerabilities in services and their source codes (JavaScript, web page, Google Workspace) are not in scope for the bug
-bounty program, but they are welcome to be reported in GitHub.
-
-### Guidelines
-
-We require that all researchers:
-
-* Abide by this policy to disclose vulnerabilities, and avoid posting vulnerability information in public places, including Github, Discord, Telegram, and Twitter.
-* Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems (including but not limited to the Cosmos Hub), and destruction of data.
-* Keep any information about vulnerabilities that you’ve discovered confidential between yourself and the Cosmos engineering team until the issue has been resolved and disclosed.
-* Avoid posting personally identifiable information, privately or publicly.
-
-If you follow these guidelines when reporting an issue to us, we commit to:
-
-* Not pursue or support any legal action related to your research on this vulnerability
-* Work with you to understand, resolve and ultimately disclose the issue in a timely fashion
-
-### More information
-* See [TIMELINE.md](https://github.com/cosmos/security/blob/main/TIMELINE.md) for an example timeline of a disclosure.
-* See [DISCLOSURE.md](https://github.com/cosmos/security/blob/main/DISCLOSURE.md) to see more into the inner workings of the disclosure process.
-* See [EXAMPLES.md](https://github.com/cosmos/security/blob/main/EXAMPLES.md) for some of the examples that we are interested in for the bug bounty program.
+[h1]: https://hackerone.com/cosmos?type=team
+[h1-policy]: https://hackerone.com/cosmos?type=team&view_policy=true