Skip to content

Security: desmos-labs/desmos

Security

SECURITY.md

Desmos Security Policy

The Desmos core team and community takes all security issues and vulnerabilities very seriously.

Thanks for improving the security of Desmos. We appreciate your efforts. Following these responsible disclosure guidelines will make sure your contribution is acknowledged.

To report a security issue go to Discord and alert the core engineers:

  • Riccardo | Desmos Riccardo Montagnin#5414
  • Paul | Desmos Paul | Desmos#0380
  • Manuel | Desmos Manuel Turetta#8033

Alternatively, you can also write an email to [email protected].

Please avoid opening a public Github issue or posting on social media.

The Desmos team will respond with the next steps following the report. It will also keep you informed on the remediation process and may ask for additional guidance/information.

Please include the following in your report:

  • Your name/affiliation (if any)
  • Description of the technical details of the vulnerability, including how to reproduce.
  • An explanation of who can exploit this vulnerability, including possible attack scenarios.
  • Whether this vulnerability is public or known to third parties.

Vulnerability Disclosure Policy

The core team asks security researchers to keep communications around vulnerabilities private and confidential until a patch is ready.

Additionally, we request reporters to:

  • Allow a reasonable amount of time to correct and address the issue.
  • Avoid exploiting the vulnerability.
  • Demonstrate good faith by not disrupting Desmos's network, data, or services.

Vulnerability Disclosure Process

Once a report is received, the following process will be followed:

  1. The Desmos core team will work to verify the issue.
  2. The team will work on a patch in a private repository.
  3. The team will notify the community and validators that a security update is coming, giving ample time to upgrade and apply the patch.
  4. After the community has been notified, and after verifying that the patch works, the team will pay out any relevant bug bounties to submitters.
  5. A post-mortem will be published a week after the vulnerability is discovered.

Every effort will be made to handle disclosures in a timely manner. It's very important to follow the above process for vulnerabilities to be handled quickly and effectively.

There aren’t any published security advisories