From 4c8c34fa641392baf39080f8c62cf76e2b77898e Mon Sep 17 00:00:00 2001 From: Francisco Gindre Date: Mon, 30 Sep 2024 18:32:24 -0300 Subject: [PATCH] [#67] Add SECURITY.md closes #67 --- SECURITY.md | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..317cd28 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,53 @@ +This page is copyright ZecDev.org, 2024. It is posted in order to conform to this standard: https://github.com/RD-Crypto-Spec/Responsible-Disclosure/tree/d47a5a3dafa5942c8849a93441745fdd186731e6 + +# Security Disclosures + +## Disclosure Principles + +ZecDev's security disclosure process aims to achieve the following goals: +- protecting ZecDev's users and the wider ecosystem +- respecting the work of security researchers +- improving the ongoing health of the Zcash ecosystem + +Specifically, we will: +- assume good faith from researchers and ecosystem partners +- operate a no fault process, focusing on the technical issues +- work with security researchers, regardless of how they choose to disclose issues + +## Receiving Disclosures + +ZecDev.org is committed to working with researchers who submit security vulnerability notifications to us to resolve those issues on an appropriate timeline and perform a coordinated release, giving credit to the reporter if they would like. + +Our best contact for security issues is security@zecdev.org. + +## Sending Disclosures + +In the case where we become aware of security issues affecting other projects that has never affected ZecDev's projects, our intention is to inform those projects of security issues on a best effort basis. + +In the case where we fix a security issue in our projects that also affects the following neighboring projects, our intention is to engage in responsible disclosures with them as described in https://github.com/RD-Crypto-Spec/Responsible-Disclosure, subject to the deviations described in the section at the bottom of this document. + +## Deviations from the Standard + +The standard describes reporters of vulnerabilities including full details of an issue, in order to reproduce it. This is necessary for instance in the case of an external researcher both demonstrating and proving that there really is a security issue, and that security issue really has the impact that they say it has - allowing the development team to accurately prioritize and resolve the issue. + +For the case our assessment determines so, we might decide not to include those details with our reports to partners ahead of coordinated release, so long as we are sure that they are vulnerable. + + +Below you can find security@zecdev.org PGP pub key. +``` +-----BEGIN PGP PUBLIC KEY BLOCK----- + +xjMEZvruLhYJKwYBBAHaRw8BAQdAidX5sDkbrVGcRp3RIhhJoXPdsqBM5slk +8H3mgs+EhFXNKXNlY3VyaXR5QHplY2Rldi5vcmcgPHNlY3VyaXR5QHplY2Rl +di5vcmc+wowEEBYKAD4Fgmb67i4ECwkHCAmQ0hYruZ0SM+QDFQgKBBYAAgEC +GQECmwMCHgEWIQRdDkFAkPdo3dHRpRTSFiu5nRIz5AAAcFsBAIpCq9AGvFdc +M9MYKCkstRMrltnhKsdnVs97oegM8HCsAQDTEB3GZn3kJGG1kCa+Wy0C1zZO +FDTB0P3eBBLOr84oAM44BGb67i4SCisGAQQBl1UBBQEBB0C53DLo7aTs/6fC +j4Hvjr7l7993eKZhb6RPqGeWt4xdLwMBCAfCeAQYFgoAKgWCZvruLgmQ0hYr +uZ0SM+QCmwwWIQRdDkFAkPdo3dHRpRTSFiu5nRIz5AAANOYA+QGte85uZHxI +9o29GbPndaoSUo6+3+YS9m1oqzJjmg4tAQD2RvYflmx7vIQirGvfaCwumN3v +DzIvY8Qt3jfH4WJXBw== +=AQmT +-----END PGP PUBLIC KEY BLOCK----- +``` +