diff --git a/SECURITY.md b/SECURITY.md index 636d34e850..95714540c7 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,79 +1,30 @@ -# Coordinated Vulnerability Disclosure Policy +## How to Report a Security Bug -The Cosmos ecosystem believes that strong security is a blend of highly -technical security researchers who care about security and the forward -progression of the ecosystem and the attentiveness and openness of Cosmos core -contributors to help continually secure our operations. +If you believe you have found a security vulnerability in the Interchain Stack, +you can report it to our primary vulnerability disclosure channel, the +[Cosmos HackerOne Bug Bounty program](https://hackerone.com/cosmos?type=team). -> **IMPORTANT**: *DO NOT* open public issues on this repository for security -> vulnerabilities. +If you prefer to report an issue via email, you may send a bug report to +security@interchain.io with the issue details, reproduction, impact, and other +information. Please submit only one unique email thread per vulnerability. +Any issues reported via email are ineligible for bounty rewards. -## Scope +Artifacts from an email report are saved at the time the email is triaged. +Please note: our team is not able to monitor dynamic content (e.g. a Google +Docs link that is edited after receipt) throughout the lifecycle of a report. +If you would like to share additional information or modify previous +information, please include it in an additional reply as an additional attachment. -| Scope | -|-----------------------| -| last release (tagged) | -| main branch | +***Please DO NOT file a public issue in this repository to report a security vulnerability.*** -The latest **release tag** of this repository is supported for security updates -as well as the **main** branch. Security vulnerabilities should be reported if -the vulnerability can be reproduced on either one of those. -## Reporting a Vulnerability +## Coordinated Vulnerability Disclosure Policy and Safe Harbor -| Reporting methods | -|---------------------------------------------------------------| -| [GitHub Private Vulnerability Reporting][gh-private-advisory] | -| [HackerOne bug bounty program][h1] | +For the most up-to-date version of the policies that govern vulnerability +disclosure, please consult the [HackerOne program page](https://hackerone.com/cosmos?type=team&view_policy=true). -All security vulnerabilities can be reported under GitHub's [Private -vulnerability reporting][gh-private-advisory] system. This will open a private -issue for the developers. Try to fill in as much of the questions as possible. -If you are not familiar with the CVSS system for assessing vulnerabilities, just -use the Low/High/Critical severity ratings. A partially filled in report for a -critical vulnerability is still better than no report at all. - -Vulnerabilities associated with the **Go, Rust or Protobuf code** of the -repository may be eligible for a [bug bounty][h1]. Please see the bug bounty -page for more details on submissions and rewards. If you think the vulnerability -is eligible for a payout, **report on HackerOne first**. - -Vulnerabilities in services and their source codes (JavaScript, web page, Google -Workspace) are not in scope for the bug bounty program, but they are welcome to -be reported in GitHub. - -### Guidelines - -We require that all researchers: - -* Abide by this policy to disclose vulnerabilities, and avoid posting - vulnerability information in public places, including GitHub, Discord, - Telegram, and Twitter. -* Make every effort to avoid privacy violations, degradation of user experience, - disruption to production systems (including but not limited to the Cosmos - Hub), and destruction of data. -* Keep any information about vulnerabilities that you’ve discovered confidential - between yourself and the Cosmos engineering team until the issue has been - resolved and disclosed. -* Avoid posting personally identifiable information, privately or publicly. - -If you follow these guidelines when reporting an issue to us, we commit to: - -* Not pursue or support any legal action related to your research on this - vulnerability -* Work with you to understand, resolve and ultimately disclose the issue in a - timely fashion - -### More information - -* See [TIMELINE.md] for an example timeline of a disclosure. -* See [DISCLOSURE.md] to see more into the inner workings of the disclosure - process. -* See [EXAMPLES.md] for some of the examples that we are interested in for the - bug bounty program. - -[gh-private-advisory]: /../../security/advisories/new -[h1]: https://hackerone.com/cosmos -[TIMELINE.md]: https://github.com/cosmos/security/blob/main/TIMELINE.md -[DISCLOSURE.md]: https://github.com/cosmos/security/blob/main/DISCLOSURE.md -[EXAMPLES.md]: https://github.com/cosmos/security/blob/main/EXAMPLES.md +The policy hosted on HackerOne is the official Coordinated Vulnerability +Disclosure policy and Safe Harbor for the Interchain Stack, and the teams and +infrastructure it supports, and it supersedes previous security policies that +have been used in the past by individual teams and projects with targets in +scope of the program.