Add SECURITY.md #581
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,31 @@ | ||||||||||||
| # Critical bugs and security issues 💥 | ||||||||||||
|
|
||||||||||||
| If you're here because you're trying to figure out how to notify us of a security issue, go to [Discord](https://discord.gg/VNyAnw7e), and alert: | ||||||||||||
|
|
||||||||||||
|
|
||||||||||||
| - Ethan Frey `ethanfrey#9693` | ||||||||||||
| - elsehow `elsehow#3115` | ||||||||||||
|
Comment on lines
+6
to
+7
There was a problem hiding this comment.
Suggested change
I appriciate you making this PR, but shouldn't recommended people be at least from CosmWasm circle? From issue I assume you're collaborating with @JakeHartnell, I recognize him. There was a problem hiding this comment. Yeah, this repo is maintained by Confio, it should be us getting those mails. Happy if you use this proposal on cw-nfts. And if we spin off maintainership of other repos, happy for them to use other contact methods. There was a problem hiding this comment. Indeed, I would prefer to not be on this list, all else equal. I added my own name so Ethan wouldn't be the only person on the hook. If we move forward with this, it would be great to put together a list of folks who should be notified! There was a problem hiding this comment.
I think this is a crucial point/decision. As long as Confio is the maintainer, we should use [email protected] as the only security contact as shown in https://github.com/CosmWasm/wasmd/blob/master/SECURITY.md. |
||||||||||||
|
|
||||||||||||
| Please avoid opening public issues on GitHub that contain information about a potential security vulnerability as this makes it difficult to reduce the impact and harm of valid security issues. | ||||||||||||
|
|
||||||||||||
| ### Coordinated Vulnerability Disclosure Policy | ||||||||||||
|
There was a problem hiding this comment. I think this is a nice proposal for disclosure policies. |
||||||||||||
|
|
||||||||||||
| We ask security researchers to keep vulnerabilities and communications around vulnerability submissions private and confidential until a patch is developed. In addition to this, we ask that you: | ||||||||||||
|
|
||||||||||||
| - Allow us a reasonable amount of time to correct or address security vulnerabilities. | ||||||||||||
| - Avoid exploiting any vulnerabilities that you discover. | ||||||||||||
| - Demonstrate good faith by not disrupting or degrading services built on top of cw-plus. | ||||||||||||
|
|
||||||||||||
| ### Vulnerability Disclosure Process | ||||||||||||
|
There was a problem hiding this comment. The process sounds reasonable, but I would like to discuss it with the rest of the Confio team first |
||||||||||||
|
|
||||||||||||
| cw-plus uses the following disclosure process: | ||||||||||||
|
|
||||||||||||
| - Once a security report is received, the cw-plus core development team works to verify the issue. | ||||||||||||
| - Patches are prepared for eligible releases in private repositories. | ||||||||||||
| - We notify the community that a security release is coming, to give users time to prepare their systems for the update. Notifications can include Discord messages, tweets, and emails to partners and validators. | ||||||||||||
| - 24 hours following this notification, the fixes are applied publicly and new releases are issued. | ||||||||||||
| - Once releases are available for cw-plus, we notify the community, again, through the same channels as above. | ||||||||||||
| - Once the community is notified, we will pay out any relevant bug bounties to submitters. | ||||||||||||
| - One week after the releases go out, we will publish a post with further details on the vulnerability as well as our response to it. | ||||||||||||
|
|
||||||||||||
| This process can take some time. Every effort will be made to handle the bug in as timely a manner as possible. However, it's important that we follow the process described above to ensure that disclosures are handled consistently and to keep the cw-plus contracts and the projects that depend on them secure. | ||||||||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We have an official security.md for wasmd https://github.com/CosmWasm/wasmd/blob/master/SECURITY.md
It would be good to keep this in line with the other one. It currently has one official email, and we are working on securely distributing a GPG key to a few different team members so we can accept encypted messages as well.
I would not recommend reporting bugs on discord.