Add SECURITY.md #581
Add SECURITY.md #581
Conversation
|
|
| - Ethan Frey `ethanfrey#9693` | ||
| - elsehow `elsehow#3115` |
There was a problem hiding this comment.
| - Ethan Frey `ethanfrey#9693` | |
| - elsehow `elsehow#3115` | |
| - Ethan Frey `ethanfrey#9693` | |
| - Simon Warta `Simon | Confio#9061` | |
| - elsehow `elsehow#3115` |
I appriciate you making this PR, but shouldn't recommended people be at least from CosmWasm circle? From issue I assume you're collaborating with @JakeHartnell, I recognize him.
@ethanfrey what do you think?
There was a problem hiding this comment.
Yeah, this repo is maintained by Confio, it should be us getting those mails.
Happy if you use this proposal on cw-nfts. And if we spin off maintainership of other repos, happy for them to use other contact methods.
There was a problem hiding this comment.
Indeed, I would prefer to not be on this list, all else equal. I added my own name so Ethan wouldn't be the only person on the hook.
If we move forward with this, it would be great to put together a list of folks who should be notified!
There was a problem hiding this comment.
this repo is maintained by Confio, it should be us getting those mails
I think this is a crucial point/decision. As long as Confio is the maintainer, we should use [email protected] as the only security contact as shown in https://github.com/CosmWasm/wasmd/blob/master/SECURITY.md.
There was a problem hiding this comment.
Thank you for the contribution and giving a nudge to better SECURITY files. This is a good initiative we have discussed internally but not seen any external interest in.
We have an official security.md for wasmd https://github.com/CosmWasm/wasmd/blob/master/SECURITY.md
and are discussing GPG keys for secure contacts.
Also trying to organize bug bounties to encourage responsible disclosure (but hacker one wouldn't accept CosmWasm...).
Not going to merge as is, but great initiative and inspiration. Especially the sections on Disclosure Policy and Process.
|
|
||
| Please avoid opening public issues on GitHub that contain information about a potential security vulnerability as this makes it difficult to reduce the impact and harm of valid security issues. | ||
|
|
||
| ### Coordinated Vulnerability Disclosure Policy |
There was a problem hiding this comment.
I think this is a nice proposal for disclosure policies.
| - Avoid exploiting any vulnerabilities that you discover. | ||
| - Demonstrate good faith by not disrupting or degrading services built on top of cw-plus. | ||
|
|
||
| ### Vulnerability Disclosure Process |
There was a problem hiding this comment.
The process sounds reasonable, but I would like to discuss it with the rest of the Confio team first
| @@ -0,0 +1,31 @@ | |||
| # Critical bugs and security issues 💥 | |||
|
|
|||
| If you're here because you're trying to figure out how to notify us of a security issue, go to [Discord](https://discord.gg/VNyAnw7e), and alert: | |||
There was a problem hiding this comment.
We have an official security.md for wasmd https://github.com/CosmWasm/wasmd/blob/master/SECURITY.md
It would be good to keep this in line with the other one. It currently has one official email, and we are working on securely distributing a GPG key to a few different team members so we can accept encypted messages as well.
I would not recommend reporting bugs on discord.
| - Ethan Frey `ethanfrey#9693` | ||
| - elsehow `elsehow#3115` |
There was a problem hiding this comment.
Yeah, this repo is maintained by Confio, it should be us getting those mails.
Happy if you use this proposal on cw-nfts. And if we spin off maintainership of other repos, happy for them to use other contact methods.
|
@ethanfrey Sounds great, thanks for having a look at it. Feel free to ping me as you discuss with Confio. |
|
@webmaster128 @alpe I would love your feedback here. In my mind, we take the parts we like here and add them to the Once that is finalised, we can then copy SECURITY.md to all the major repos (cosmwasm, cw-plus, wasmvm, etc) There are some nice additions related to process here which I would be happy to see in the wasmd version as well |
This PR contains a very good disclosure policy which we can adopt as well as a template for a process to discuss internally. Wasmd contains only a very basic description, yet. It was supposed to get started with a process but there is more we can do before v1. I found https://snyk.io/blog/add-a-security-md-file-to-your-azure-repos/ a good overview in the past what else could be provided. It makes sense for me to maintain a central SECURITY.md file with up to date information in one repo and provide only basic ones in all other project's repos that point to it. |
Much of this was originally in CosmWasm/cw-plus#581
|
That you for bringing this up. |
Much of this was originally in CosmWasm/cw-plus#581
|
Closed in favor of #624 now we added this to |
Addresses #580. Add an explicit disclosure process (adapted from Tendermint's) to build common expectations about how critical security issues are disclosed to the community, on what timeline, and via what channels.