From 52a18fdfe173308272fdf85e3588dd7b3e607fb3 Mon Sep 17 00:00:00 2001 From: Simon Warta Date: Mon, 11 Apr 2022 11:52:22 +0200 Subject: [PATCH 1/3] Create link to SECURITY.md in other repo --- SECURITY.md | 40 +++------------------------------------- 1 file changed, 3 insertions(+), 37 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 4ad89c7c0c..16b2f7f824 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,39 +1,5 @@ # Security Policy -## Reporting a Vulnerability - -Please report any security issues via email to security@confio.gmbh. - -You will receive a response from us within 2 working days. If the issue is confirmed, we will release a patch as soon as possible depending on complexity but historically within a few days. - -Please avoid opening public issues on GitHub that contain information about a potential security vulnerability as this makes it difficult to reduce the impact and harm of valid security issues. - -## Supported Versions - -This is alpha software, do not run on a production system. Notably, we currently provide no migration path not even "dump state and restart" to move to future versions. - -We will have a stable v0.x version before the final v1.0.0 version with the same API as the v1.0 version in order to run last testnets and manual testing on it. We have not yet committed to that version number. wasmd 0.22 will support Cosmos SDK 0.44/0.45 and should be quite close to a final API, minus some minor details. - -Our v1.0.0 release plans were also delayed by upstream release cycles, and we have continued to refine APIs while we can. - -## Coordinated Vulnerability Disclosure Policy - -We ask security researchers to keep vulnerabilities and communications around vulnerability submissions private and confidential until a patch is developed. In addition to this, we ask that you: - - - Allow us a reasonable amount of time to correct or address security vulnerabilities. - - Avoid exploiting any vulnerabilities that you discover. - - Demonstrate good faith by not disrupting or degrading services built on top of this software. - -## Vulnerability Disclosure Process - -Confio uses the following disclosure process for the various CosmWasm-related repos: - - - Once a security report is received, the core development team works to verify the issue. - - Patches are prepared for eligible releases in private repositories. - - We notify the community that a security release is coming, to give users time to prepare their systems for the update. Notifications can include Discord messages, tweets, and emails to partners and validators. Please also see [CosmWasm/advisories](https://github.com/CosmWasm/advisories) if you want to receive notifications. - - No less than 24 hours following this notification, the fixes are applied publicly and new releases are issued. - - Once releases are available, we notify the community, again, through the same channels as above. - - Once the patches have been properly rolled out, we will publish a post with further details on the vulnerability as well as our response to it. - - Note that we are working on a concept for bug bounties and they are not currently available. - - This process can take some time. Every effort will be made to handle the bug as quickly and thoroughly as possible. However, it's important that we follow the process described above to ensure that disclosures are handled consistently and to keep this codebase and the projects that depend on them secure. \ No newline at end of file +This repository is maintained by Confio as part of the CosmWasm stack. +Please see https://github.com/CosmWasm/advisories/blob/main/SECURITY.md +for our security policy. From 2d5bd2203df866a9fa412b8cbbfd9e8b3c0f249e Mon Sep 17 00:00:00 2001 From: Simon Warta Date: Mon, 11 Apr 2022 13:37:20 +0200 Subject: [PATCH 2/3] Bring back Supported Versions --- SECURITY.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index 16b2f7f824..ca5f2a4001 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -3,3 +3,11 @@ This repository is maintained by Confio as part of the CosmWasm stack. Please see https://github.com/CosmWasm/advisories/blob/main/SECURITY.md for our security policy. + +## Supported Versions + +This is alpha software, do not run on a production system. Notably, we currently provide no migration path not even "dump state and restart" to move to future versions. + +We will have a stable v0.x version before the final v1.0.0 version with the same API as the v1.0 version in order to run last testnets and manual testing on it. We have not yet committed to that version number. wasmd 0.22 will support Cosmos SDK 0.44/0.45 and should be quite close to a final API, minus some minor details. + +Our v1.0.0 release plans were also delayed by upstream release cycles, and we have continued to refine APIs while we can. From d482ab37a8d61ed1f5a7ea38fecd7f7435ec1eef Mon Sep 17 00:00:00 2001 From: Simon Warta Date: Mon, 11 Apr 2022 13:37:35 +0200 Subject: [PATCH 3/3] Bump 0.22 -> 0.25 --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index ca5f2a4001..021b58b510 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -8,6 +8,6 @@ for our security policy. This is alpha software, do not run on a production system. Notably, we currently provide no migration path not even "dump state and restart" to move to future versions. -We will have a stable v0.x version before the final v1.0.0 version with the same API as the v1.0 version in order to run last testnets and manual testing on it. We have not yet committed to that version number. wasmd 0.22 will support Cosmos SDK 0.44/0.45 and should be quite close to a final API, minus some minor details. +We will have a stable v0.x version before the final v1.0.0 version with the same API as the v1.0 version in order to run last testnets and manual testing on it. We have not yet committed to that version number. wasmd 0.25 will support Cosmos SDK 0.44/0.45 and should be quite close to a final API, minus some minor details. Our v1.0.0 release plans were also delayed by upstream release cycles, and we have continued to refine APIs while we can.