From 1f804e108e4064af256f080b6b3b54d33faab288 Mon Sep 17 00:00:00 2001 From: Luna5-threshold <110028834+Luna5-threshold@users.noreply.github.com> Date: Thu, 4 May 2023 14:01:44 +0200 Subject: [PATCH 1/7] Update security policies with bug bounty info This is a first draft to update the security policies across repositories with the immunefi bug bounty information after its launch (and first amendment) Requesting review and feedback on language --- SECURITY.md | 90 ++++++++++++++++++++++++++++++++++------------------- 1 file changed, 58 insertions(+), 32 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index fafc1bdc..f81cc7e7 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,8 +1,62 @@ # Security Policy -## Reporting a Vulnerability +## Bug Bounty Program -If you identify vulnerabilities with any Threshold Network code, please email `security@threshold.network` with relevant information to your findings. We will work with researchers to coordinate vulnerability disclosure between our stakers, partners, and users to ensure the successful mitigation of vulnerabilities. +Since April 28th, 2022 Threshold Network has a [Bug Bounty program with Immunefi](https://immunefi.com/bounty/thresholdnetwork/) as approved by Threshold DAO in [TIP-041](https://forum.threshold.network/t/tip-041-establish-a-bug-bounty-program/453) proposal. + +The details for the Bug Bounty are constantly maintained and updated at the [Immunefi dedicated space to Threshold](https://immunefi.com/bounty/thresholdnetwork/). There you can explore the assets in scope of the Bounty and the different rewards by threat level. As a guide, the initial bounty program launched with the following rewards according to the severity of the threats found: + +Smart Contracts +- Critical Level: USD $100,000 to USD $500,000 +- High Level: USD $10,000 to USD $50,000 +- Medium Level: USD $1,000 to USD $5,000 +- Low Level: USD $1,000 + +Websites and Applications +- Critical Level: USD $10,000 to USD $25,000 +- High Level: USD $1,000 to USD $10,000 +- Medium Level: USD $1,000 + +**Out of Scope Impacts** +Please note that the following impacts and attack vectors are excluded from rewards for the Immunefi bug bounty program: + +General: +- Attacks that the reporter has already exploited themselves, leading to damage +- Attacks requiring access to leaked keys/credentials +- Attacks requiring access to privileged addresses (governance, strategist), except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible +- Broken link hijacking is out of scope + +Smart Contracts and Blockchain/DLT: +- Basic economic governance attacks (e.g. 51% attack) +- Lack of liquidity +- Best practice critiques +- Sybil attacks +- Centralization risks + +Websites and Apps: +- Theoretical impacts without any proof or demonstration +- Content spoofing / Text injection issues +- Self-XSS +- Captcha bypass using OCR +- CSRF with no security impact (logout CSRF, change language, etc.) +- Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) +- Server-side information disclosure such as IPs, server names, and most stack traces +- Vulnerabilities used to enumerate or confirm the existence of users or tenants +- Vulnerabilities requiring unlikely user actions +- Lack of SSL/TLS best practices +- Attacks involving DOS and/or DDoS +- Attacks that require physical contact to the victims computer and/or wallet +- Attacks requiring privileged access from within the organization +- SPF records for email domains +- Feature requests +- Best practices + +Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2/). This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported. + + +## Reporting a Vulnerability Not Covered by the Bug Bounty Program + +For those assets that are not covered in the Immunefi Bug Bounty program, (please see the updated program [here](https://immunefi.com/bounty/thresholdnetwork/)), if you identify any vulnerabilities within the Threshold Network code and outside our bounty program, please let us know. You can send an email to `security@threshold.network` with relevant information about your findings. We will work with researchers to coordinate vulnerability disclosure between our stakers, partners, and users to ensure the successful mitigation of vulnerabilities. Throughout the reporting process, we expect researchers to honor an embargo period that may vary depending on the severity of the disclosure. This ensures that we have the opportunity to fix any issues, identify further issues (if any), and inform our users. @@ -12,35 +66,7 @@ A great place to begin your research is by working on our testnet. Please see ou The Threshold team will make a best effort to respond to a new report **within 48 hours**. This response may be a simple acknowledgement that the report was received, or may be an initial assessment from the team. Unless the report is assessed as irrelevant or incorrect, this response will include expected next steps and communication time frames from the Threshold team. -The Threshold team will try to make an initial assessment of a bug's relevance, severity, and exploitability, and communicate this back to the reporter. - -The Threshold DAO does have a bug bounty available, which is dispensed on a case-by-case basis. - -## Bug Bounty Program - -The following Bug Bounty amounts were approved by the DAO in [TIP-041](https://forum.threshold.network/t/tip-041-establish-a-bug-bounty-program/453) proposal: - -- Critical: Up to $500,000 in T tokens. -- High: Up to $50,000 in T tokens. -- Medium: Up to $5,000 in T tokens. -- Low: Up to $500 in T tokens. - -The following attacks are excluded from the Bug Bounty program: - -- Attacks that the reporter has already exploited themselves, leading to damage. -- Attacks requiring access to leaked keys/credentials. -- Basic economic governance attacks (e.g. 51% attack). -- Lack of liquidity. -- Sybil attacks. - -The following activities are prohibited by this bug bounty program: - -- Any testing with mainnet or public testnet contracts; all testing should be done on private testnets. -- Attempting phishing or other social engineering attacks against our contributors and/or users. -- Any denial of service attacks. -- Automated testing of services that generates significant amounts of traffic. -- Public disclosure of an unpatched vulnerability in an embargoed bounty. +The Threshold team will try to make an initial assessment of a bug's relevance, severity, and exploitability, and communicate this back to the reporter. The Threshold DAO will compensate important findings on a case-by-case basis. We value security researchers and we encourage you to contact us to discuss your findings. -Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2/). This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported. +We also ask all researchers to please submit their reports in English. -Threshold DAO is currently in the process of establishing a Bug Bounty program on Immunefi. From ad93b0d0998736c66f9107f5b01dfa393ae7ee00 Mon Sep 17 00:00:00 2001 From: Luna5-threshold <110028834+Luna5-threshold@users.noreply.github.com> Date: Fri, 5 May 2023 11:29:03 +0200 Subject: [PATCH 2/7] Apply suggestions from code review Co-authored-by: MacLane S Wilkison --- SECURITY.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index f81cc7e7..961c3964 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,9 +2,9 @@ ## Bug Bounty Program -Since April 28th, 2022 Threshold Network has a [Bug Bounty program with Immunefi](https://immunefi.com/bounty/thresholdnetwork/) as approved by Threshold DAO in [TIP-041](https://forum.threshold.network/t/tip-041-establish-a-bug-bounty-program/453) proposal. +Threshold Network has a [Bug Bounty program with Immunefi](https://immunefi.com/bounty/thresholdnetwork/). -The details for the Bug Bounty are constantly maintained and updated at the [Immunefi dedicated space to Threshold](https://immunefi.com/bounty/thresholdnetwork/). There you can explore the assets in scope of the Bounty and the different rewards by threat level. As a guide, the initial bounty program launched with the following rewards according to the severity of the threats found: +The details for the Bug Bounty are maintained and updated at the [Immunefi dedicated space to Threshold](https://immunefi.com/bounty/thresholdnetwork/). There you can explore the assets in scope of the Bounty and the different rewards by threat level. As a guide, the initial bounty program launched with the following rewards according to the severity of the threats found: Smart Contracts - Critical Level: USD $100,000 to USD $500,000 @@ -24,7 +24,7 @@ General: - Attacks that the reporter has already exploited themselves, leading to damage - Attacks requiring access to leaked keys/credentials - Attacks requiring access to privileged addresses (governance, strategist), except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible -- Broken link hijacking is out of scope +- Broken link hijacking Smart Contracts and Blockchain/DLT: - Basic economic governance attacks (e.g. 51% attack) @@ -64,9 +64,9 @@ Sometimes vulnerabilities are more sensitive in nature and require extra precaut A great place to begin your research is by working on our testnet. Please see our [documentation](https://docs.threshold.network) to get started. We ask that you please respect network machines and their owners. If you find a vulnerability that you suspect has given you access to a machine against the owner's permission, stop what you're doing and immediately email `security@threshold.network`. -The Threshold team will make a best effort to respond to a new report **within 48 hours**. This response may be a simple acknowledgement that the report was received, or may be an initial assessment from the team. Unless the report is assessed as irrelevant or incorrect, this response will include expected next steps and communication time frames from the Threshold team. +Threshold DAO will make a best effort to respond to a new report **within 48 hours**. This response may be a simple acknowledgement that the report was received, or may be an initial assessment from the team. Unless the report is assessed as irrelevant or incorrect, this response will include expected next steps and communication time frames. -The Threshold team will try to make an initial assessment of a bug's relevance, severity, and exploitability, and communicate this back to the reporter. The Threshold DAO will compensate important findings on a case-by-case basis. We value security researchers and we encourage you to contact us to discuss your findings. +Threshold DAO will try to make an initial assessment of a bug's relevance, severity, and exploitability, and communicate this back to the reporter. The Threshold DAO will compensate important findings on a case-by-case basis. We value security researchers and we encourage you to contact us to discuss your findings. We also ask all researchers to please submit their reports in English. From 8756ad702a2b8c2b868d8780aa9dbba19479338e Mon Sep 17 00:00:00 2001 From: Luna5-threshold <110028834+Luna5-threshold@users.noreply.github.com> Date: Fri, 5 May 2023 18:34:14 +0200 Subject: [PATCH 3/7] Update SECURITY.md Co-authored-by: Derek Pierre --- SECURITY.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 961c3964..4b1e4dc1 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -17,7 +17,8 @@ Websites and Applications - High Level: USD $1,000 to USD $10,000 - Medium Level: USD $1,000 -**Out of Scope Impacts** +### Out of Scope Impacts + Please note that the following impacts and attack vectors are excluded from rewards for the Immunefi bug bounty program: General: From 17d17fdd29801e161a1d452280fdae092e087b33 Mon Sep 17 00:00:00 2001 From: Luna5-threshold <110028834+Luna5-threshold@users.noreply.github.com> Date: Mon, 8 May 2023 16:33:45 +0200 Subject: [PATCH 4/7] Update SECURITY.md This is a review of language on the security policy taking into account the given feedback to funnel all bugs through the Immunefi program. Please check if everything is correct. --- SECURITY.md | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 4b1e4dc1..291fee9d 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -17,6 +17,8 @@ Websites and Applications - High Level: USD $1,000 to USD $10,000 - Medium Level: USD $1,000 +A great place to begin your research is by working on our testnet. Please see our [documentation](https://docs.threshold.network) to get started. We ask that you please respect network machines and their owners. If you find a vulnerability that you suspect has given you access to a machine against the owner's permission, stop what you're doing and create a report using the immunefi dashboard for researchers. + ### Out of Scope Impacts Please note that the following impacts and attack vectors are excluded from rewards for the Immunefi bug bounty program: @@ -57,15 +59,7 @@ Rewards are distributed according to the impact of the vulnerability based on th ## Reporting a Vulnerability Not Covered by the Bug Bounty Program -For those assets that are not covered in the Immunefi Bug Bounty program, (please see the updated program [here](https://immunefi.com/bounty/thresholdnetwork/)), if you identify any vulnerabilities within the Threshold Network code and outside our bounty program, please let us know. You can send an email to `security@threshold.network` with relevant information about your findings. We will work with researchers to coordinate vulnerability disclosure between our stakers, partners, and users to ensure the successful mitigation of vulnerabilities. - -Throughout the reporting process, we expect researchers to honor an embargo period that may vary depending on the severity of the disclosure. This ensures that we have the opportunity to fix any issues, identify further issues (if any), and inform our users. - -Sometimes vulnerabilities are more sensitive in nature and require extra precautions. We are happy to work together to use a more secure medium, such as Signal. Email security@threshold.network and we will coordinate a communication channel that we're both comfortable with. - -A great place to begin your research is by working on our testnet. Please see our [documentation](https://docs.threshold.network) to get started. We ask that you please respect network machines and their owners. If you find a vulnerability that you suspect has given you access to a machine against the owner's permission, stop what you're doing and immediately email `security@threshold.network`. - -Threshold DAO will make a best effort to respond to a new report **within 48 hours**. This response may be a simple acknowledgement that the report was received, or may be an initial assessment from the team. Unless the report is assessed as irrelevant or incorrect, this response will include expected next steps and communication time frames. +Security researchers are encouraged to submit issues outside of the outlined Impacts and Assets in Scope. If you can demonstrate a critical impact on code in production for an asset not in scope, Threshold DAO encourages you to submit your bug report using the “primacy of impact exception” asset in Immunefi. Threshold DAO will try to make an initial assessment of a bug's relevance, severity, and exploitability, and communicate this back to the reporter. The Threshold DAO will compensate important findings on a case-by-case basis. We value security researchers and we encourage you to contact us to discuss your findings. From 4d16c94c45e5482cfc0111f527894b23e9913c20 Mon Sep 17 00:00:00 2001 From: Luna5-threshold <110028834+Luna5-threshold@users.noreply.github.com> Date: Fri, 26 May 2023 17:09:17 +0200 Subject: [PATCH 5/7] Update SECURITY.md removing assets out-of-scope to avoid duplicated maintenance of the list, and also making modifications regarding the severity classification of impacts (v2.2 -> v2.3) --- SECURITY.md | 39 ++------------------------------------- 1 file changed, 2 insertions(+), 37 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 291fee9d..2d8877b4 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -19,47 +19,12 @@ Websites and Applications A great place to begin your research is by working on our testnet. Please see our [documentation](https://docs.threshold.network) to get started. We ask that you please respect network machines and their owners. If you find a vulnerability that you suspect has given you access to a machine against the owner's permission, stop what you're doing and create a report using the immunefi dashboard for researchers. -### Out of Scope Impacts - -Please note that the following impacts and attack vectors are excluded from rewards for the Immunefi bug bounty program: - -General: -- Attacks that the reporter has already exploited themselves, leading to damage -- Attacks requiring access to leaked keys/credentials -- Attacks requiring access to privileged addresses (governance, strategist), except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible -- Broken link hijacking - -Smart Contracts and Blockchain/DLT: -- Basic economic governance attacks (e.g. 51% attack) -- Lack of liquidity -- Best practice critiques -- Sybil attacks -- Centralization risks - -Websites and Apps: -- Theoretical impacts without any proof or demonstration -- Content spoofing / Text injection issues -- Self-XSS -- Captcha bypass using OCR -- CSRF with no security impact (logout CSRF, change language, etc.) -- Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) -- Server-side information disclosure such as IPs, server names, and most stack traces -- Vulnerabilities used to enumerate or confirm the existence of users or tenants -- Vulnerabilities requiring unlikely user actions -- Lack of SSL/TLS best practices -- Attacks involving DOS and/or DDoS -- Attacks that require physical contact to the victims computer and/or wallet -- Attacks requiring privileged access from within the organization -- SPF records for email domains -- Feature requests -- Best practices - -Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2/). This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported. +Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). This is a simplified 4-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported. ## Reporting a Vulnerability Not Covered by the Bug Bounty Program -Security researchers are encouraged to submit issues outside of the outlined Impacts and Assets in Scope. If you can demonstrate a critical impact on code in production for an asset not in scope, Threshold DAO encourages you to submit your bug report using the “primacy of impact exception” asset in Immunefi. +Please, verify the list of assets in-scope and out-of-scope available as part of the [Threshold Bug Bounty details](https://immunefi.com/bounty/thresholdnetwork/). Additionally, security researchers are encouraged to submit issues outside of the outlined Impacts and Assets in Scope. If you can demonstrate a critical impact on code in production for an asset not in scope, Threshold DAO encourages you to submit your bug report using the “primacy of impact exception” asset in Immunefi. Threshold DAO will try to make an initial assessment of a bug's relevance, severity, and exploitability, and communicate this back to the reporter. The Threshold DAO will compensate important findings on a case-by-case basis. We value security researchers and we encourage you to contact us to discuss your findings. From fb2eddd4d24cacd4a72868f370b7dbfb92dc4403 Mon Sep 17 00:00:00 2001 From: Luna5-threshold <110028834+Luna5-threshold@users.noreply.github.com> Date: Fri, 26 May 2023 17:10:15 +0200 Subject: [PATCH 6/7] Update SECURITY.md remove spaces --- SECURITY.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 2d8877b4..a67e5b94 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -7,20 +7,21 @@ Threshold Network has a [Bug Bounty program with Immunefi](https://immunefi.com/ The details for the Bug Bounty are maintained and updated at the [Immunefi dedicated space to Threshold](https://immunefi.com/bounty/thresholdnetwork/). There you can explore the assets in scope of the Bounty and the different rewards by threat level. As a guide, the initial bounty program launched with the following rewards according to the severity of the threats found: Smart Contracts + - Critical Level: USD $100,000 to USD $500,000 - High Level: USD $10,000 to USD $50,000 - Medium Level: USD $1,000 to USD $5,000 - Low Level: USD $1,000 Websites and Applications + - Critical Level: USD $10,000 to USD $25,000 - High Level: USD $1,000 to USD $10,000 - Medium Level: USD $1,000 A great place to begin your research is by working on our testnet. Please see our [documentation](https://docs.threshold.network) to get started. We ask that you please respect network machines and their owners. If you find a vulnerability that you suspect has given you access to a machine against the owner's permission, stop what you're doing and create a report using the immunefi dashboard for researchers. -Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). This is a simplified 4-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported. - +Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). This is a simplified 4-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported. ## Reporting a Vulnerability Not Covered by the Bug Bounty Program @@ -29,4 +30,3 @@ Please, verify the list of assets in-scope and out-of-scope available as part of Threshold DAO will try to make an initial assessment of a bug's relevance, severity, and exploitability, and communicate this back to the reporter. The Threshold DAO will compensate important findings on a case-by-case basis. We value security researchers and we encourage you to contact us to discuss your findings. We also ask all researchers to please submit their reports in English. - From 77710c8533ee256cd64d308fa6563f607c47a93e Mon Sep 17 00:00:00 2001 From: Luna5-threshold <110028834+Luna5-threshold@users.noreply.github.com> Date: Wed, 7 Jun 2023 16:52:58 +0200 Subject: [PATCH 7/7] Apply suggestions from code review Co-authored-by: Derek Pierre --- SECURITY.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index a67e5b94..bae6b2c5 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -4,7 +4,7 @@ Threshold Network has a [Bug Bounty program with Immunefi](https://immunefi.com/bounty/thresholdnetwork/). -The details for the Bug Bounty are maintained and updated at the [Immunefi dedicated space to Threshold](https://immunefi.com/bounty/thresholdnetwork/). There you can explore the assets in scope of the Bounty and the different rewards by threat level. As a guide, the initial bounty program launched with the following rewards according to the severity of the threats found: +The details for the Bug Bounty are maintained and updated at the [Immunefi Threshold page](https://immunefi.com/bounty/thresholdnetwork/). There you can explore the assets in scope for the bounty and the different rewards by threat level. As a guide, the initial bounty program launched with the following rewards according to the severity of the threats found: Smart Contracts @@ -19,13 +19,13 @@ Websites and Applications - High Level: USD $1,000 to USD $10,000 - Medium Level: USD $1,000 -A great place to begin your research is by working on our testnet. Please see our [documentation](https://docs.threshold.network) to get started. We ask that you please respect network machines and their owners. If you find a vulnerability that you suspect has given you access to a machine against the owner's permission, stop what you're doing and create a report using the immunefi dashboard for researchers. +A great place to begin your research is by working on our testnet. Please see our [documentation](https://docs.threshold.network) to get started. We ask that you please respect network machines and their owners. If you find a vulnerability that you suspect has given you access to a machine against the owner's permission, stop what you're doing and create a report using the Immunefi dashboard for researchers. Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). This is a simplified 4-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported. ## Reporting a Vulnerability Not Covered by the Bug Bounty Program -Please, verify the list of assets in-scope and out-of-scope available as part of the [Threshold Bug Bounty details](https://immunefi.com/bounty/thresholdnetwork/). Additionally, security researchers are encouraged to submit issues outside of the outlined Impacts and Assets in Scope. If you can demonstrate a critical impact on code in production for an asset not in scope, Threshold DAO encourages you to submit your bug report using the “primacy of impact exception” asset in Immunefi. +Please verify the list of assets in-scope and out-of-scope available as part of the [Threshold Bug Bounty details](https://immunefi.com/bounty/thresholdnetwork/). Additionally, security researchers are encouraged to submit issues outside of the outlined "Impacts" and "Assets in Scope". If you can demonstrate a critical impact on code in production for an asset not in scope, Threshold DAO encourages you to submit your bug report using the “primacy of impact exception” asset in Immunefi. Threshold DAO will try to make an initial assessment of a bug's relevance, severity, and exploitability, and communicate this back to the reporter. The Threshold DAO will compensate important findings on a case-by-case basis. We value security researchers and we encourage you to contact us to discuss your findings.