Skip to content

Security: terpnetwork/terp-core

Security

SECURITY.md

Terp-Core Security Policy

This document describes the Terp Network Security team's process for handling security issues.

Reporting Security Issues

IMPORTANT: Please DO NOT open public issues for security related matters, or discuss it in public forum or on social media.

Email

All security issues should be reported via email to terp.network@skiff.com. Email is delivered to the Terp Network Foundation DAO.

Include the following details in the report:

  • Your name;
  • Your affiliation (if applicable);
  • Technical description of the issue, including steps to reproduce;
  • Explanation of who may be able to exploit this vulnerability and what the impact or implications may be;
  • Whether this vulnerability is public or known to third parties. Please provide details where applicable;

Please notify the Terp Network Security team at the email above of existing public issues that may be of critical security importance. Please ensure to include the issue ID along with a short description / explanation of the security relevance.

GitHub Private Vulnerability Reporting

Under the repository "Security" tab / Security Advisories you will find "Report a vulnerability". Please complete the provided form with as much details as possible.

For more information on GitHub private vulnerability reporting see this.

Best practices for writing repository security advisories can be found here.

Security researchers can also use the REST API to privately report security vulnerabilities. For more information, see "Privately report a security vulnerability" in the REST API documentation.

Handling Security Issues

The Terp Network Security team will:

  1. Verify and confirm the issue;
  2. Determine affected versions and scope of impact;
  3. Conduct audits to find any potential similar and related issues;
  4. Prepare fixes for relevant in-production releases;
  5. Endeavor to communicate and coordinate with relevant ecosystem stakeholders, including the Terp Network communities, at the appropriate times;

Please assist the Terp Network Security team by following these guidelines:

  • Allow a reasonable amount of time for the team to respond to and address the issue;
  • Avoid exploiting any issues or vulnerabilities that you may become aware of;
  • Demonstrate good faith by not disrupting the Terp Network's networks, data, services or communities;

Every effort will be made to handle and address security issues as quickly and efficiently as possible.

There aren’t any published security advisories