From e37555c9a38feb4347b9a10fa2d50975f31c3d2e Mon Sep 17 00:00:00 2001 From: Rano | Ranadeep Date: Tue, 3 Sep 2024 20:04:17 +0200 Subject: [PATCH 1/4] add SECURITY.md Signed-off-by: Rano | Ranadeep --- SECURITY.md | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..687941442 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,35 @@ +# Security Policy + +## Reporting a Security Vulnerability + +If you believe you have found a security vulnerability in the Interchain Stack, +you can report it to our primary vulnerability disclosure channel, the +[Cosmos HackerOne Bug Bounty program][hackerone-bounty]. + +If you prefer to report an issue via email, you may send a bug report to +security@interchain.io with the issue details, reproduction, impact, and other +information. Please submit only one unique email thread per vulnerability. Any +issues reported via email are ineligible for bounty rewards. + +Artifacts from an email report are saved at the time the email is triaged. +Please note: our team cannot monitor dynamic content (e.g. a Google Docs link +that is edited after receipt) throughout the lifecycle of a report. If you would +like to share additional information or modify previous information, please +include it in an additional reply as an additional attachment. + +Please **DO NOT** file a public issue in this repository to report a security +vulnerability. + +## Coordinated Vulnerability Disclosure Policy and Safe Harbor + +For the most up-to-date version of the policies that govern vulnerability +disclosure, please consult the [HackerOne program page][hackerone-policy]. + +The policy hosted on HackerOne is the official Coordinated Vulnerability +Disclosure policy and Safe Harbor for the Interchain Stack, and the teams and +infrastructure it supports, and it supersedes previous security policies that +have been used in the past by individual teams and projects with targets in +scope of the program. + +[hackerone-bounty]: https://hackerone.com/cosmos?type=team +[hackerone-policy]: https://hackerone.com/cosmos?type=team&view_policy=true From 52f322074a9b75f342cbe6993bf9ef6002186ae3 Mon Sep 17 00:00:00 2001 From: Rano | Ranadeep Date: Tue, 24 Sep 2024 11:20:36 +0200 Subject: [PATCH 2/4] update SECURITY.md Signed-off-by: Rano | Ranadeep --- SECURITY.md | 46 ++++++++++++++++++++++------------------------ 1 file changed, 22 insertions(+), 24 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 687941442..de394bb7f 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,34 +2,32 @@ ## Reporting a Security Vulnerability -If you believe you have found a security vulnerability in the Interchain Stack, -you can report it to our primary vulnerability disclosure channel, the -[Cosmos HackerOne Bug Bounty program][hackerone-bounty]. +If you believe you have found a security vulnerability in `ibc-rs`, you can +privately report it via the project's [**Security** tab][ibc-rs-security] using +[GitHub's private vulnerability reporting system][gh-vulnerability]. -If you prefer to report an issue via email, you may send a bug report to -security@interchain.io with the issue details, reproduction, impact, and other -information. Please submit only one unique email thread per vulnerability. Any -issues reported via email are ineligible for bounty rewards. +> [!IMPORTANT] +> Please **DO NOT** file a public issue in this repository to report a security +> vulnerability. -Artifacts from an email report are saved at the time the email is triaged. -Please note: our team cannot monitor dynamic content (e.g. a Google Docs link -that is edited after receipt) throughout the lifecycle of a report. If you would -like to share additional information or modify previous information, please -include it in an additional reply as an additional attachment. +### Guidelines -Please **DO NOT** file a public issue in this repository to report a security -vulnerability. +Please respect the following when reporting a security vulnerability: -## Coordinated Vulnerability Disclosure Policy and Safe Harbor +- Submit only one unique advisory per vulnerability. +- Explain the vulnerability with examples of exploits. +- Include a severity rating. +- Reply to the opened advisory for any additional information. -For the most up-to-date version of the policies that govern vulnerability -disclosure, please consult the [HackerOne program page][hackerone-policy]. +Please avoid or refrain from the following: -The policy hosted on HackerOne is the official Coordinated Vulnerability -Disclosure policy and Safe Harbor for the Interchain Stack, and the teams and -infrastructure it supports, and it supersedes previous security policies that -have been used in the past by individual teams and projects with targets in -scope of the program. +- Share the vulnerability details publicly until the issue is resolved. +- Post personal data or any sensitive information in the advisory. +- Exploit the vulnerability to cause any damage or disruption to production + systems or destruction of production data. -[hackerone-bounty]: https://hackerone.com/cosmos?type=team -[hackerone-policy]: https://hackerone.com/cosmos?type=team&view_policy=true +If the guidelines are followed, the maintainers will understand, resolve and +disclose the vulnerability in a timely manner. + +[ibc-rs-security]: https://github.com/cosmos/ibc-rs/security +[gh-vulnerability]: https://docs.github.com/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability From fb1910c1cd35b7e3c30e7cd13d16326591d5f908 Mon Sep 17 00:00:00 2001 From: Rano | Ranadeep Date: Tue, 24 Sep 2024 16:11:46 +0200 Subject: [PATCH 3/4] apply suggestions from code review Co-authored-by: Greg Szabo <16846635+greg-szabo@users.noreply.github.com> Signed-off-by: Rano | Ranadeep --- SECURITY.md | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index de394bb7f..9f2aa7c95 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -14,20 +14,17 @@ privately report it via the project's [**Security** tab][ibc-rs-security] using Please respect the following when reporting a security vulnerability: -- Submit only one unique advisory per vulnerability. -- Explain the vulnerability with examples of exploits. -- Include a severity rating. -- Reply to the opened advisory for any additional information. +- Submit only one unique report per vulnerability. +- Explain the vulnerability in detail and add any known exploits. +- Leave an e-mail address for further follow-up questions. Please avoid or refrain from the following: - Share the vulnerability details publicly until the issue is resolved. -- Post personal data or any sensitive information in the advisory. +- Post personal data or any sensitive information in the report. - Exploit the vulnerability to cause any damage or disruption to production systems or destruction of production data. -If the guidelines are followed, the maintainers will understand, resolve and -disclose the vulnerability in a timely manner. [ibc-rs-security]: https://github.com/cosmos/ibc-rs/security [gh-vulnerability]: https://docs.github.com/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability From 27e9a110ac555726c02cc4e6adce7b9c9e67d639 Mon Sep 17 00:00:00 2001 From: Rano | Ranadeep Date: Tue, 24 Sep 2024 16:13:53 +0200 Subject: [PATCH 4/4] fmt Signed-off-by: Rano | Ranadeep --- SECURITY.md | 1 - 1 file changed, 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 9f2aa7c95..1ff6d8d25 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -25,6 +25,5 @@ Please avoid or refrain from the following: - Exploit the vulnerability to cause any damage or disruption to production systems or destruction of production data. - [ibc-rs-security]: https://github.com/cosmos/ibc-rs/security [gh-vulnerability]: https://docs.github.com/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability