Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Security Issue Process
Clone this wiki locally
- Estimate Likelihood
- Estimate Impact
- Technical description
- Ownership / Responsibility
Draft of steps that should be taken when finding a security issue in Ethereum. Security issue is defined as a problem in scope of Security-Categorization.
Partly inspired by OWASP Risk Rating
- Add a entry describing the issue at (TODO: github link).
- Estimate likelihood, impact and complexity of fix.
- Affected software version(s).
- How likely is it to be uncovered and exploited by an attacker?
- Ease of discovery?
- Ease of exploit?
- Likelihood of detection?
- Blockchain consensus. Potential of blockchain fork?
- Financial damage. Loss of ether?
- Privacy. E.g. revealing who sent a tx or who owns an address.
- Availability. Can it impact availablity of node(s)?
- Protocol version.
- Client version(s). Single or multiple implementations?
- OS / external library version(s).
- Link to relevant source code.
- How to fix.
- How to test.
Ownership / Responsibility
- Who is assigned to fix the issue?
- Who will test / review a fix?
- Who takes responsibility for preparing new builds of client software?
- Who takes on to disclose the issue?
- Communication channels (mail lists, twitter, github).