From 184b2a7080e6c984582ba477ce87bdacaa6859e9 Mon Sep 17 00:00:00 2001 From: Thane Thomson Date: Thu, 16 Nov 2023 05:50:45 -0500 Subject: [PATCH] Update SECURITY.md (#93) Signed-off-by: Thane Thomson --- SECURITY.md | 72 +++++++++++++++++++---------------------------------- 1 file changed, 25 insertions(+), 47 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 73fbc1d..2a5c566 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,55 +1,33 @@ -# Coordinated Vulnerability Disclosure Policy +# How to Report a Security Bug -The Cosmos ecosystem believes that strong security is a blend of highly technical security researchers -who care about security and the forward progression of the ecosystem and the attentiveness and -openness of Cosmos core contributors to help continually secure our operations. +If you believe you have found a security vulnerability in the Interchain Stack, +you can report it to our primary vulnerability disclosure channel, the [Cosmos +HackerOne Bug Bounty program][h1]. -> **IMPORTANT**: *DO NOT* open public issues on this repository for security vulnerabilities. +If you prefer to report an issue via email, you may send a bug report to + with the issue details, reproduction, impact, and other +information. Please submit only one unique email thread per vulnerability. Any +issues reported via email are ineligible for bounty rewards. -## Scope +Artifacts from an email report are saved at the time the email is triaged. +Please note: our team is not able to monitor dynamic content (e.g. a Google Docs +link that is edited after receipt) throughout the lifecycle of a report. If you +would like to share additional information or modify previous information, +please include it in an additional reply as an additional attachment. -| Scope | -|-----------------------| -| last release (tagged) | -| main branch | +Please **DO NOT** file a public issue in this repository to report a security +vulnerability. -The latest **release tag** of this repository is supported for security updates as well as the **main** branch. -Security vulnerabilities should be reported if the vulnerability can be reproduced on either one of those. +## Coordinated Vulnerability Disclosure Policy and Safe Harbor -## Reporting a Vulnerability +For the most up-to-date version of the policies that govern vulnerability +disclosure, please consult the [HackerOne program page][h1-policy]. -| Reporting methods | -|-------------------------------------------------------------------| -| [GitHub Private Vulnerability Reporting](https://github.com/cometbft/cometbft-db/security/advisories/new) | -| [HackerOne bug bounty program](https://hackerone.com/cosmos) | +The policy hosted on HackerOne is the official Coordinated Vulnerability +Disclosure policy and Safe Harbor for the Interchain Stack, and the teams and +infrastructure it supports, and it supersedes previous security policies that +have been used in the past by individual teams and projects with targets in +scope of the program. -All security vulnerabilities can be reported under GitHub's [Private vulnerability reporting](https://github.com/cometbft/cometbft-db/security/advisories/new) system. -This will open a private issue for the developers. Try to fill in as much of the questions as possible. If you are not familiar -with the CVSS system for assessing vulnerabilities, just use the Low/High/Critical severity ratings. A partially filled in report -for a critical vulnerability is still better than no report at all. - -Vulnerabilities associated with the **Go, Rust or Protobuf code** of the repository may be eligible for a [bug bounty](https://hackerone.com/cosmos). -Please see the bug bounty page for more details on submissions and rewards. If you think the vulnerability is eligible for a payout, -**report on HackerOne first**. - -Vulnerabilities in services and their source codes (JavaScript, web page, Google Workspace) are not in scope for the bug -bounty program, but they are welcome to be reported in GitHub. - -### Guidelines - -We require that all researchers: - -* Abide by this policy to disclose vulnerabilities, and avoid posting vulnerability information in public places, including Github, Discord, Telegram, and Twitter. -* Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems (including but not limited to the Cosmos Hub), and destruction of data. -* Keep any information about vulnerabilities that you’ve discovered confidential between yourself and the Cosmos engineering team until the issue has been resolved and disclosed. -* Avoid posting personally identifiable information, privately or publicly. - -If you follow these guidelines when reporting an issue to us, we commit to: - -* Not pursue or support any legal action related to your research on this vulnerability -* Work with you to understand, resolve and ultimately disclose the issue in a timely fashion - -### More information -* See [TIMELINE.md](https://github.com/cosmos/security/blob/main/TIMELINE.md) for an example timeline of a disclosure. -* See [DISCLOSURE.md](https://github.com/cosmos/security/blob/main/DISCLOSURE.md) to see more into the inner workings of the disclosure process. -* See [EXAMPLES.md](https://github.com/cosmos/security/blob/main/EXAMPLES.md) for some of the examples that we are interested in for the bug bounty program. +[h1]: https://hackerone.com/cosmos?type=team +[h1-policy]: https://hackerone.com/cosmos?type=team&view_policy=true