Skip to content

Add "Flow Rewards" section to Atree Security Policy#620

Merged
fxamacker merged 4 commits intomainfrom
fxamacker/add-flow-rewards-section-to-security-policy
Jan 28, 2026
Merged

Add "Flow Rewards" section to Atree Security Policy#620
fxamacker merged 4 commits intomainfrom
fxamacker/add-flow-rewards-section-to-security-policy

Conversation

@fxamacker
Copy link
Member

@fxamacker fxamacker commented Jan 22, 2026
edited
Loading

This PR adds a "Flow Rewards" section to SECURITY.md with some text paraphrased from some of @j1010001 ideas today, which might reduce security-related noise while still encouraging valid security reports.

Thanks @j1010001! 👍

Caveats

  • If we make the text too strict, we may risk discouraging valid security reports.
  • If we make the text too relaxed, we may spend more time reviewing and disqualifying invalid security reports.
  • Targeted PR against main branch
  • Linked to Github issue with discussion and accepted design OR link to spec that describes this work
  • Code follows the standards mentioned here
  • Updated relevant documentation
  • Re-reviewed Files changed in the Github PR explorer
  • Added appropriate labels

@fxamacker
Add "Flow Rewards" section to SECURITY.md
bdf994d 
This commit adds a "Flow Rewards" section to SECURITY.md with some text (paraphrased from Jan's ideas) that might reduce security-related noise while still encouraging valid security reports.
@fxamacker fxamacker requested a review from j1010001 January 22, 2026 01:59
@fxamacker fxamacker requested a review from turbolent as a code owner January 22, 2026 01:59
@fxamacker fxamacker added the documentation Improvements or additions to documentation label Jan 22, 2026
@fxamacker
Replace text that is moved to vulnerability disclosure program
3e94650 
The first paragraph under "Flow Rewards" section is moved to the vulnerability disclosure program by Jan, so we don't have to keep that requirement in this document.

This commit replaces the specific requirement with the more general statement:

"Security reports that follow the guidelines and meet other conditions of the vulnerability disclosure program might qualify for Flow Protocol Rewards."
turbolent
turbolent approved these changes Jan 26, 2026
View reviewed changes
Copy link
Member

@turbolent turbolent left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

SECURITY.md
- list of affected platforms (Atree is only officially supported on 64-bit architectures)

- version of [Flow Emulator](https://github.com/onflow/flow-emulator) used to check the reported issue (issue might be prevented by Flow components that set or enforce limits on Atree)
- list of changes to the source code of Flow components (generally, the vulnerability reproducer shouldn't require modifying Flow source code)
Copy link
Member

@turbolent turbolent Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To get fewer false positive reports, we might want to change this and require reports not to modify Flow source code, they should be for a currently deployed releases

Copy link
Member Author

@fxamacker fxamacker Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To get fewer false positive reports, we might want to change this and require reports not to modify Flow source code, they should be for a currently deployed releases

Great point! I was tempted to do that at first, but I'm concerned about requirements in SECURITY.md getting too strict because reports with real security bugs might not be sent to us.

The PR's compromise is to require reports to list their changes to Flow source code, and also remind that such changes generally shouldn't be made for reproducers (to allow for rare exceptions). And outside this repo, @j1010001 was planning to add the stricter requirements to the vulnerability disclosure program to reduce false alarms in reports that want to qualify for rewards/bounties.

For now, maybe we can see if the milder changes to SECURITY.md combined with stricter changes outside this repo (vulnerability disclosure program) reduces the frequency of false positive reports. If it doesn't work in reducing false positive reports, we can make the requirements stricter as suggested.

fxamacker and others added 2 commits January 26, 2026 16:41
@fxamacker @turbolent
Add links to repos and docs by @turbolent
e1490fe 
Co-authored-by: Bastian Müller <bastian@turbolent.com>
@fxamacker
Fix formatting in SECURITY.md
ffeeca4
@fxamacker fxamacker merged commit da4c0c8 into main Jan 28, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@turbolent turbolent turbolent approved these changes

@j1010001 j1010001 Awaiting requested review from j1010001

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fxamacker @turbolent