Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: update security policy #1434

Merged
merged 1 commit into from
Nov 17, 2023
Merged

docs: update security policy #1434

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
93 changes: 22 additions & 71 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,79 +1,30 @@
# Coordinated Vulnerability Disclosure Policy
## How to Report a Security Bug

The Cosmos ecosystem believes that strong security is a blend of highly
technical security researchers who care about security and the forward
progression of the ecosystem and the attentiveness and openness of Cosmos core
contributors to help continually secure our operations.
If you believe you have found a security vulnerability in the Interchain Stack,
you can report it to our primary vulnerability disclosure channel, the
[Cosmos HackerOne Bug Bounty program](https://hackerone.com/cosmos?type=team).

> **IMPORTANT**: *DO NOT* open public issues on this repository for security
> vulnerabilities.
If you prefer to report an issue via email, you may send a bug report to
[email protected] with the issue details, reproduction, impact, and other
information. Please submit only one unique email thread per vulnerability.
Any issues reported via email are ineligible for bounty rewards.

## Scope
Artifacts from an email report are saved at the time the email is triaged.
Please note: our team is not able to monitor dynamic content (e.g. a Google
Docs link that is edited after receipt) throughout the lifecycle of a report.
If you would like to share additional information or modify previous
information, please include it in an additional reply as an additional attachment.

| Scope |
|-----------------------|
| last release (tagged) |
| main branch |
***Please DO NOT file a public issue in this repository to report a security vulnerability.***

The latest **release tag** of this repository is supported for security updates
as well as the **main** branch. Security vulnerabilities should be reported if
the vulnerability can be reproduced on either one of those.

## Reporting a Vulnerability
## Coordinated Vulnerability Disclosure Policy and Safe Harbor

| Reporting methods |
|---------------------------------------------------------------|
| [GitHub Private Vulnerability Reporting][gh-private-advisory] |
| [HackerOne bug bounty program][h1] |
For the most up-to-date version of the policies that govern vulnerability
disclosure, please consult the [HackerOne program page](https://hackerone.com/cosmos?type=team&view_policy=true).

All security vulnerabilities can be reported under GitHub's [Private
vulnerability reporting][gh-private-advisory] system. This will open a private
issue for the developers. Try to fill in as much of the questions as possible.
If you are not familiar with the CVSS system for assessing vulnerabilities, just
use the Low/High/Critical severity ratings. A partially filled in report for a
critical vulnerability is still better than no report at all.

Vulnerabilities associated with the **Go, Rust or Protobuf code** of the
repository may be eligible for a [bug bounty][h1]. Please see the bug bounty
page for more details on submissions and rewards. If you think the vulnerability
is eligible for a payout, **report on HackerOne first**.

Vulnerabilities in services and their source codes (JavaScript, web page, Google
Workspace) are not in scope for the bug bounty program, but they are welcome to
be reported in GitHub.

### Guidelines

We require that all researchers:

* Abide by this policy to disclose vulnerabilities, and avoid posting
vulnerability information in public places, including GitHub, Discord,
Telegram, and Twitter.
* Make every effort to avoid privacy violations, degradation of user experience,
disruption to production systems (including but not limited to the Cosmos
Hub), and destruction of data.
* Keep any information about vulnerabilities that you’ve discovered confidential
between yourself and the Cosmos engineering team until the issue has been
resolved and disclosed.
* Avoid posting personally identifiable information, privately or publicly.

If you follow these guidelines when reporting an issue to us, we commit to:

* Not pursue or support any legal action related to your research on this
vulnerability
* Work with you to understand, resolve and ultimately disclose the issue in a
timely fashion

### More information

* See [TIMELINE.md] for an example timeline of a disclosure.
* See [DISCLOSURE.md] to see more into the inner workings of the disclosure
process.
* See [EXAMPLES.md] for some of the examples that we are interested in for the
bug bounty program.

[gh-private-advisory]: /../../security/advisories/new
[h1]: https://hackerone.com/cosmos
[TIMELINE.md]: https://github.com/cosmos/security/blob/main/TIMELINE.md
[DISCLOSURE.md]: https://github.com/cosmos/security/blob/main/DISCLOSURE.md
[EXAMPLES.md]: https://github.com/cosmos/security/blob/main/EXAMPLES.md
The policy hosted on HackerOne is the official Coordinated Vulnerability
Disclosure policy and Safe Harbor for the Interchain Stack, and the teams and
infrastructure it supports, and it supersedes previous security policies that
have been used in the past by individual teams and projects with targets in
scope of the program.
Loading