[SECURITY] Add more guidelines for security disclosures#592
Conversation
Added: "Before submitting a security report, please review your source code included in the report. For example, please check if function calls return any errors and avoid calling a function on a `nil` object."
|
@turbolent PTAL 🙏 If security reports contain obvious bugs that can be spotted at a quick glance, then I think there is a chance that some reviewer in the future might not examine the report's other content as thoroughly as they should. |
Update to clarify and expand the additional guidelines to mention Flow Emulator, etc.: # **Guidelines For Responsible Disclosure** We ask that all researchers adhere to these guidelines [here](https://flow.com/flow-responsible-disclosure). Additionally, please include the following in the security report: - the name and version of the AI, scanner, etc. that detected the issue (this can help us handle reports generated by buggy tools more efficiently) - list of affected 32-bit or 64-bit architectures (currently, Atree is officially supported on 64-bit platforms) - version of [Flow Emulator](https://github.com/onflow/flow-emulator) used to check if the reported issue (issue might be prevented by Flow components that set or enforce limits on Atree) Before submitting a security report, please review your source code included in the report. For example, please make sure the reported panic isn't caused by an overlooked mistake in the report's test code.
|
@turbolent I reviewed several security reports in the past 2-week sprint cycle and updated the guidelines to request a bit more info that can save time in future security reports: Guidelines For Responsible DisclosureWe ask that all researchers adhere to these guidelines here. Additionally, please include the following in the security report:
Before submitting a security report, please review your source code included in the report. For example, please make sure the reported panic isn't caused by an overlooked mistake in the report's test code. |
SECURITY.md
Outdated
| Please include the name and version of the tool that detected the issue (if applicable). This can help us identify buggy or noisy vulnerability detectors, and identify duplicate reports more efficiently. | ||
| - the name and version of the AI, scanner, etc. that detected the issue (this can help us handle reports generated by buggy tools more efficiently) | ||
|
|
||
| - list of affected 32-bit or 64-bit architectures (currently, Atree is officially supported on 64-bit) |
There was a problem hiding this comment.
Good idea to ask for the architecure. AFAIK none of the projects we maintain (atree, Cadence, flow-go, etc.) has official 32-bit support, so maybe just state it:
| - list of affected 32-bit or 64-bit architectures (currently, Atree is officially supported on 64-bit) | |
| - list of affected architectures (Atree is only officially supported on 64-bit) |
2 participants
Updates onflow/flow-go#8042
Expanded and clarified additional guidelines to include more info in the security reports:
Guidelines For Responsible Disclosure
We ask that all researchers adhere to these guidelines here.
Additionally, please include the following in the security report:
the name and version of the AI, scanner, etc. that detected the issue (this can help us handle reports generated by buggy tools more efficiently)
list of affected 32-bit or 64-bit architectures (currently, Atree is officially supported on 64-bit)
version of Flow Emulator used to check the reported issue (issue might be prevented by Flow components that set or enforce limits on Atree)
Before submitting a security report, please review your source code included in the report. For example, please make sure the reported panic isn't caused by an overlooked mistake in the report's test code.
mainbranchFiles changedin the Github PR explorer