Skip to content

Security: terra-money/alliance

Security

SECURITY.md

Terra bug reporting and feature requests

The Terra core development team uses GitHub to manage feature requests and bugs. This is done via GitHub Issues.

Triage and progress ๐Ÿ”œ

Issues added to GitHub will be triaged as they come in.

Tracking of in-flight issues will be done through the Terra Core project board; however, the Terra core development team reserves the right to not make a public issue if there is a security implication in doing so.

Feature request ๐Ÿš€

For a feature request, e.g. module inclusion, please make a GitHub issue. Clearly state your use case and what value it will bring to other users or developers.

For chain-specific requests, governance, or parameter changes, please discuss any issues or features on the relevant chain.

Standard priority bug ๐Ÿ›

For a bug that is non-sensitive and/or operational in nature rather than a critical vulnerability, please add it as a GitHub issue.

Critical bug or security issue ๐Ÿ’ฅ

If you're here because you're trying to figure out how to notify us of a security issue, use this link to submit your report

Please avoid opening public issues on GitHub that contain information about a potential security vulnerability as this makes it difficult to reduce the impact and harm of valid security issues.

Coordinated Vulnerability Disclosure Policy

The Terra core development team asks security researchers to keep vulnerabilities and communications around vulnerability submissions private and confidential until a patch is developed. In addition to this, the team asks that you:

  • Allow them a reasonable amount of time to correct or address security vulnerabilities.
  • Avoid exploiting any vulnerabilities that you discover.
  • Demonstrate good faith by not disrupting or degrading Terraโ€™s network, data, or services.

Vulnerability Disclosure Process

The Terra core development team uses the following disclosure process:

  • Once a security report is received, the Terra core development team works to verify the issue.
  • Patches are prepared for eligible releases in private repositories.
  • The Terra core development team notifies the community that a security release is coming to give users time to prepare their systems for the update. Notifications can include Discord messages, tweets, and emails to partners and validators.
  • 24 hours following this notification, the fixes are applied publicly and new releases are issued.
  • Once releases are available, the community is notified again through the same channels as above. The Terra core development team also publishes a Security Advisory on Github and publishes the CVE, as long as neither the Security Advisory nor the CVE include any information on how to exploit these vulnerabilities beyond what information is already available in the patch itself.
  • Once the community is notified, any relevant and eligible bug bounties will be paid to submitters.
  • One week after the releases go out, a post will be published with further details on the vulnerability as well as the response to it.
  • This process can take some time. Every effort will be made to handle the bug in as timely a manner as possible. However, it's important that the process described above is followed to ensure that disclosures are handled consistently and to keep Terra and the projects running on it secure.

There arenโ€™t any published security advisories