Skip to content

Commit

Permalink
Update Security Procedures for Hacker One Program (#1382)
Browse files Browse the repository at this point in the history
* Create SECURITY.md

* Update README.md with security instructions
  • Loading branch information
akc2267 authored Jan 19, 2024
1 parent 4ad5ab2 commit 9bd144e
Show file tree
Hide file tree
Showing 2 changed files with 55 additions and 2 deletions.
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -200,8 +200,8 @@ Additional information on how IBC works can be found [here](https://ibc.cosmos.n

## Security Notice

If you would like to report a security critical bug related to the relayer repo,
please reach out @jackzampolin or @Ethereal0ne on telegram.
If you would like to report a security bug related to the relayer repo,
please follow the instructions in [SECURITY.md](SECURITY.md).

## Code of Conduct

Expand Down
53 changes: 53 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
# Coordinated Vulnerability Disclosure Policy

The Cosmos ecosystem believes that strong security is a blend of highly
technical security researchers who care about security and the forward
progression of the ecosystem and the attentiveness and openness of Cosmos core
contributors to help continually secure our operations.

> **IMPORTANT**: *DO NOT* open public issues on this repository for security
> vulnerabilities.
## Reporting a Vulnerability

| Reporting methods | Bounty eligible |
|---------------------------------------------------------------|-----------------|
| [HackerOne program][h1] | yes |
| [security@interchain.io](mailto:security@interchain.io) | no |

Issues identified in this repository may be eligible for a [bug bounty][h1]. For your report to be bounty
eligible it must be reported exclusively through the [HackerOne Bug Bounty][h1].

If you do not wish to be eligible for a bounty or do not want to use the HackerOne platform to report an
issue, please send your report via email to [security@interchain.io](mailto:security@interchain.io) with
reproduction steps and details of the issue.

### Guidelines

We require that all researchers:

* Abide by this policy to disclose vulnerabilities, and avoid posting
vulnerability information in public places, including GitHub, Discord,
Telegram, and Twitter.
* Make every effort to avoid privacy violations, degradation of user experience,
disruption to production systems (including but not limited to the Cosmos
Hub), and destruction of data.
* Keep any information about vulnerabilities that you’ve discovered confidential
between yourself and the Cosmos engineering team until the issue has been
resolved and disclosed.
* Avoid posting personally identifiable information, privately or publicly.

If you follow these guidelines when reporting an issue to us, we commit to:

* Not pursue or support any legal action related to your research on this
vulnerability
* Work with you to understand, resolve and ultimately disclose the issue in a
timely fashion

## Coordinated Vulnerability Disclosure Policy and Safe Harbor

For the most up-to-date version of the policies that govern vulnerability disclosure, please consult the [HackerOne program page](https://hackerone.com/cosmos?type=team&view_policy=true).

The policy hosted on HackerOne is the official Coordinated Vulnerability Disclosure policy and Safe Harbor for the Interchain Stack, and the teams and infrastructure it supports, and it supersedes previous security policies that have been used in the past by individual teams and projects with targets in scope of the program.

[h1]: https://hackerone.com/cosmos

0 comments on commit 9bd144e

Please sign in to comment.