|
1 | | -# Coordinated Vulnerability Disclosure Policy |
| 1 | +## How to Report a Security Bug |
2 | 2 |
|
3 | | -The Cosmos ecosystem believes that strong security is a blend of highly |
4 | | -technical security researchers who care about security and the forward |
5 | | -progression of the ecosystem and the attentiveness and openness of Cosmos core |
6 | | -contributors to help continually secure our operations. |
| 3 | +If you believe you have found a security vulnerability in Gaia, |
| 4 | +you can report it to our primary vulnerability disclosure channel, the |
| 5 | +[Cosmos HackerOne Bug Bounty program](https://hackerone.com/cosmos?type=team). |
7 | 6 |
|
8 | | -> **IMPORTANT**: *DO NOT* open public issues on this repository for security |
9 | | -> vulnerabilities. |
| 7 | +If you prefer to report an issue via email, you may send a bug report to |
| 8 | +security@interchain.io with the issue details, reproduction, impact, and other |
| 9 | +information. Please submit only one unique email thread per vulnerability. |
| 10 | +Any issues reported via email are ineligible for bounty rewards. |
10 | 11 |
|
11 | | -## Scope |
| 12 | +Artifacts from an email report are saved at the time the email is triaged. |
| 13 | +Please note: our team is not able to monitor dynamic content (e.g. a Google |
| 14 | +Docs link that is edited after receipt) throughout the lifecycle of a report. |
| 15 | +If you would like to share additional information or modify previous |
| 16 | +information, please include it in an additional reply as an additional attachment. |
12 | 17 |
|
13 | | -| Scope | |
14 | | -|-----------------------| |
15 | | -| last release (tagged) | |
16 | | -| main branch | |
| 18 | +***Please DO NOT file a public issue in this repository to report a security vulnerability.*** |
17 | 19 |
|
18 | | -The latest **release tag** of this repository is supported for security updates |
19 | | -as well as the **main** branch. Security vulnerabilities should be reported if |
20 | | -the vulnerability can be reproduced on either one of those. |
21 | 20 |
|
22 | | -## Reporting a Vulnerability |
| 21 | +## Coordinated Vulnerability Disclosure Policy and Safe Harbor |
23 | 22 |
|
24 | | -| Reporting methods | |
25 | | -|---------------------------------------------------------------| |
26 | | -| [GitHub Private Vulnerability Reporting][gh-private-advisory] | |
27 | | -| [HackerOne bug bounty program][h1] | |
| 23 | +For the most up-to-date version of the policies that govern vulnerability |
| 24 | +disclosure, please consult the [HackerOne program page](https://hackerone.com/cosmos?type=team&view_policy=true). |
28 | 25 |
|
29 | | -All security vulnerabilities can be reported under GitHub's [Private |
30 | | -vulnerability reporting][gh-private-advisory] system. This will open a private |
31 | | -issue for the developers. Try to fill in as much of the questions as possible. |
32 | | -If you are not familiar with the CVSS system for assessing vulnerabilities, just |
33 | | -use the Low/High/Critical severity ratings. A partially filled in report for a |
34 | | -critical vulnerability is still better than no report at all. |
35 | | - |
36 | | -Vulnerabilities associated with the **Go, Rust or Protobuf code** of the |
37 | | -repository may be eligible for a [bug bounty][h1]. Please see the bug bounty |
38 | | -page for more details on submissions and rewards. If you think the vulnerability |
39 | | -is eligible for a payout, **report on HackerOne first**. |
40 | | - |
41 | | -Vulnerabilities in services and their source codes (JavaScript, web page, Google |
42 | | -Workspace) are not in scope for the bug bounty program, but they are welcome to |
43 | | -be reported in GitHub. |
44 | | - |
45 | | -### Guidelines |
46 | | - |
47 | | -We require that all researchers: |
48 | | - |
49 | | -* Abide by this policy to disclose vulnerabilities, and avoid posting |
50 | | - vulnerability information in public places, including GitHub, Discord, |
51 | | - Telegram, and Twitter. |
52 | | -* Make every effort to avoid privacy violations, degradation of user experience, |
53 | | - disruption to production systems (including but not limited to the Cosmos |
54 | | - Hub), and destruction of data. |
55 | | -* Keep any information about vulnerabilities that you’ve discovered confidential |
56 | | - between yourself and the Cosmos engineering team until the issue has been |
57 | | - resolved and disclosed. |
58 | | -* Avoid posting personally identifiable information, privately or publicly. |
59 | | - |
60 | | -If you follow these guidelines when reporting an issue to us, we commit to: |
61 | | - |
62 | | -* Not pursue or support any legal action related to your research on this |
63 | | - vulnerability |
64 | | -* Work with you to understand, resolve and ultimately disclose the issue in a |
65 | | - timely fashion |
66 | | - |
67 | | -### More information |
68 | | - |
69 | | -* See [TIMELINE.md] for an example timeline of a disclosure. |
70 | | -* See [DISCLOSURE.md] to see more into the inner workings of the disclosure |
71 | | - process. |
72 | | -* See [EXAMPLES.md] for some of the examples that we are interested in for the |
73 | | - bug bounty program. |
74 | | - |
75 | | -[gh-private-advisory]: /../../security/advisories/new |
76 | | -[h1]: https://hackerone.com/cosmos |
77 | | -[TIMELINE.md]: https://github.com/cosmos/security/blob/main/TIMELINE.md |
78 | | -[DISCLOSURE.md]: https://github.com/cosmos/security/blob/main/DISCLOSURE.md |
79 | | -[EXAMPLES.md]: https://github.com/cosmos/security/blob/main/EXAMPLES.md |
| 26 | +The policy hosted on HackerOne is the official Coordinated Vulnerability |
| 27 | +Disclosure policy and Safe Harbor for the Interchain Stack, and the teams and |
| 28 | +infrastructure it supports, and it supersedes previous security policies that |
| 29 | +have been used in the past by individual teams and projects with targets in |
| 30 | +scope of the program. |
0 commit comments