-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #68 from zecdev/security-md
[#67] Add SECURITY.md
- Loading branch information
Showing
1 changed file
with
53 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
This page is copyright ZecDev.org, 2024. It is posted in order to conform to this standard: https://github.com/RD-Crypto-Spec/Responsible-Disclosure/tree/d47a5a3dafa5942c8849a93441745fdd186731e6 | ||
|
||
# Security Disclosures | ||
|
||
## Disclosure Principles | ||
|
||
ZecDev's security disclosure process aims to achieve the following goals: | ||
- protecting ZecDev's users and the wider ecosystem | ||
- respecting the work of security researchers | ||
- improving the ongoing health of the Zcash ecosystem | ||
|
||
Specifically, we will: | ||
- assume good faith from researchers and ecosystem partners | ||
- operate a no fault process, focusing on the technical issues | ||
- work with security researchers, regardless of how they choose to disclose issues | ||
|
||
## Receiving Disclosures | ||
|
||
ZecDev.org is committed to working with researchers who submit security vulnerability notifications to us to resolve those issues on an appropriate timeline and perform a coordinated release, giving credit to the reporter if they would like. | ||
|
||
Our best contact for security issues is [email protected]. | ||
|
||
## Sending Disclosures | ||
|
||
In the case where we become aware of security issues affecting other projects that has never affected ZecDev's projects, our intention is to inform those projects of security issues on a best effort basis. | ||
|
||
In the case where we fix a security issue in our projects that also affects the following neighboring projects, our intention is to engage in responsible disclosures with them as described in https://github.com/RD-Crypto-Spec/Responsible-Disclosure, subject to the deviations described in the section at the bottom of this document. | ||
|
||
## Deviations from the Standard | ||
|
||
The standard describes reporters of vulnerabilities including full details of an issue, in order to reproduce it. This is necessary for instance in the case of an external researcher both demonstrating and proving that there really is a security issue, and that security issue really has the impact that they say it has - allowing the development team to accurately prioritize and resolve the issue. | ||
|
||
For the case our assessment determines so, we might decide not to include those details with our reports to partners ahead of coordinated release, so long as we are sure that they are vulnerable. | ||
|
||
|
||
Below you can find [email protected] PGP pub key. | ||
``` | ||
-----BEGIN PGP PUBLIC KEY BLOCK----- | ||
xjMEZvruLhYJKwYBBAHaRw8BAQdAidX5sDkbrVGcRp3RIhhJoXPdsqBM5slk | ||
8H3mgs+EhFXNKXNlY3VyaXR5QHplY2Rldi5vcmcgPHNlY3VyaXR5QHplY2Rl | ||
di5vcmc+wowEEBYKAD4Fgmb67i4ECwkHCAmQ0hYruZ0SM+QDFQgKBBYAAgEC | ||
GQECmwMCHgEWIQRdDkFAkPdo3dHRpRTSFiu5nRIz5AAAcFsBAIpCq9AGvFdc | ||
M9MYKCkstRMrltnhKsdnVs97oegM8HCsAQDTEB3GZn3kJGG1kCa+Wy0C1zZO | ||
FDTB0P3eBBLOr84oAM44BGb67i4SCisGAQQBl1UBBQEBB0C53DLo7aTs/6fC | ||
j4Hvjr7l7993eKZhb6RPqGeWt4xdLwMBCAfCeAQYFgoAKgWCZvruLgmQ0hYr | ||
uZ0SM+QCmwwWIQRdDkFAkPdo3dHRpRTSFiu5nRIz5AAANOYA+QGte85uZHxI | ||
9o29GbPndaoSUo6+3+YS9m1oqzJjmg4tAQD2RvYflmx7vIQirGvfaCwumN3v | ||
DzIvY8Qt3jfH4WJXBw== | ||
=AQmT | ||
-----END PGP PUBLIC KEY BLOCK----- | ||
``` | ||
|