chore: add SECURITY.md #2690
chore: add SECURITY.md #2690
Conversation
There was a problem hiding this comment.
I think this document resembles an incomplete bug bounty program description for the Tact ecosystem rather than a security policy for a single project, as it covers multiple projects and is quite comprehensive.
Overall, it seems reasonable, but I would add more specific details:
- Define severity levels: Needed to prevent misinterpretation by reporters.
- Specify bounty rewards: Without incentives, critical vulnerabilities (which could financially benefit attackers) may go unreported. Rewards should reflect severity.
- Formalize response timelines: For instance, "We guarantee a response within N business days."
|
|
||
| - The Tact compiler, including the TypeScript wrappers it generates, | ||
| - The Tact standard library (`stdlib`), | ||
| - Developer tooling: Tact's CLI, VS Code plugin, and the Tact [language server](https://github.com/tact-lang/tact-language-server), |
There was a problem hiding this comment.
I would create a complete list with links to github repos for clarity.
There was a problem hiding this comment.
I'm not sure if I got it. CLI or CI? No mistake here?
|
|
||
| Your report should include: | ||
|
|
||
| - A description of the vulnerability. |
There was a problem hiding this comment.
nit: Let's make formatting of the lists more consistent (e.g. capitalized, no trailing comma)
|
|
||
| ## Out of scope | ||
|
|
||
| Only the targets listed under in-scope are part of the security policy. This means that, for example, our infrastructure, such as webpages, is not part of the scope. |
There was a problem hiding this comment.
I would explicitly specify what is out of scope:
| Only the targets listed under in-scope are part of the security policy. This means that, for example, our infrastructure, such as webpages, is not part of the scope. | |
| Only the targets listed under "in-scope" are part of the security policy. | |
| The following are considered out of scope: | |
| - Server infrastructure (TODO: backend components, static webpages, ...) | |
| - ... |
|
|
||
| ## In scope | ||
|
|
||
| This policy applies to: |
There was a problem hiding this comment.
How about CI? And npm repositories? These are very common attack vectors.
| - Web-based compiler services, such as [TON Web IDE](https://ide.ton.org), | ||
| - Smart contract generation and deployment utilities. | ||
|
|
||
| A security issue, in this case, may stem from miscompilation, incorrect documentation description, incorrect language server, editor plugin, or TON Web IDE suggestions, which can lead to monetary loss if an affected smart contract is deployed in the mainnet and a malicious third party interacts with it. |
There was a problem hiding this comment.
I would replace this with severity level descriptions. Attacks leading to DoS attacks, gas draining or similar issues are problematic but definitely not critical.
There was a problem hiding this comment.
Also, would be nice to have a bullet-list here as well.
|
@jubnzv Thanks for your detailed review, I really appreciate it. I'll split the current PR in two: there will be a simpler SECURITY.md file for the GitHub setup. We will also add similar files to all the relevant projects in the |
Issue
Closes #423.