New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

eip-evrf: Ethereum Vulnerability Reporting Framework #679

Open
wants to merge 1 commit into
base: master
from

Conversation

Projects
None yet
5 participants
@dickolsson
Copy link

dickolsson commented Jul 28, 2017

This proposal is based on the latest revision of my original blog post here: https://dickolsson.com/evrf-ethereum-vulnerability-reporting-framework/

A few things that I'm still considering based on feedback from speaking to people in the community:

  • It might be a good idea to organise the Ethereum Security Consortium (ESC) such that regular audits are run on projects that claim adherence to this procedure
  • The CVSS standard should probably be replaced with a vulnerability scoring system that applies more directly to the blockchain and smart contract use cases. This is however a bigger task and can probably be followed-up upon
@GNSPS

This comment has been minimized.

Copy link

GNSPS commented Jul 29, 2017

Thank you @dickolsson, this was a very much needed EIP.

Prior to this EIP being submitted I have already reflected my interest in devising a new, specific threat model, one that is way more focused in smart contracts and their immutable nature.

This is surely the best way to start these efforts going and I believe we're at the right phase to do it.

I also believe that, while being a huge endeavour, we should start devising that new threat model sooner rather than later for it won't be ready when we'll need it if we only start doing it then.

@dickolsson dickolsson force-pushed the dickolsson:eip-evrf branch from 2a3b1cb to 37450ca Aug 10, 2017

@dickolsson dickolsson force-pushed the dickolsson:eip-evrf branch from 37450ca to b0ef56a Aug 10, 2017

@maurelian

This comment has been minimized.

Copy link
Contributor

maurelian commented Aug 14, 2017

This would be a very valuable contribution to the ecosystem.

To summarize in a TLDR what projects would need to do:

  • Add a page describing the reporting process. This page should be easy to find, and provide an email + pgp key.
  • Host and maintain a JSON file listing report vulns according to the suggested format.

That seems like a nice baby step towards establishing some standard opsec practices.

@Arachnid

This comment has been minimized.

Copy link
Collaborator

Arachnid commented Mar 27, 2018

This is a courtesy notice to let you know that the format for EIPs has been modified slightly. If you want your draft merged, you will need to make some small changes to how your EIP is formatted:

  • Frontmatter is now contained between lines with only a triple dash ('---')
  • Headers in the frontmatter are now lowercase.

If your PR is editing an existing EIP rather than creating a new one, this has already been done for you, and you need only rebase your PR.

In addition, a continuous build has been setup, which will check your PR against the rules for EIP formatting automatically once you update your PR. This build ensures all required headers are present, as well as performing a number of other checks.

Please rebase your PR against the latest master, and edit your PR to use the above format for frontmatter. For convenience, here's a sample header you can copy and adapt:

---
eip: <num>
title: <title>
author: <author>
type: [Standards Track|Informational|Meta]
category: [Core|Networking|Interface|ERC] (for type: Standards Track only)
status: Draft
created: <date>
---
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment