From 73ba63b724e4c1789423f7513cac512ed0106711 Mon Sep 17 00:00:00 2001 From: Deep Kapur Date: Tue, 22 Dec 2020 22:38:35 -0500 Subject: [PATCH] Update SECURITY.md Based on feedback from @zgfzgf and a few others - recommending that we make this change to offer more clarity on what is meant by security issues (which are not always "Critical" in severity). --- SECURITY.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 592206bc5a9..d53c2b920b5 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,11 +2,11 @@ ## Reporting a Vulnerability -For *critical* bugs, please consult our Security Policy and Responsible Disclosure Program information at https://github.com/filecoin-project/community/blob/master/SECURITY.md +For reporting security vulnerabilities/bugs, please consult our Security Policy and Responsible Disclosure Program information at https://github.com/filecoin-project/community/blob/master/SECURITY.md. Security vulnerabilities should be reported via our [Vulnerability Reporting channels](https://github.com/filecoin-project/community/blob/master/SECURITY.md#vulnerability-reporting) and will be eligible for a [Bug Bounty](https://security.filecoin.io/bug-bounty/). Please try to provide a clear description of any bugs reported, along with how to reproduce the bug if possible. More detailed bug reports (especially those with a PoC included) will help us move forward much faster. Additionally, please avoid reporting bugs that already have open issues. Take a moment to search the issue list of the related GitHub repositories before writing up a new report. -Here are some examples of bugs we would consider 'critical': +Here are some examples of bugs we would consider to be security vulnerabilities: * If you can spend from a `multisig` wallet you do not control the keys for. * If you can cause a miner to be slashed without them actually misbehaving. @@ -16,8 +16,8 @@ Here are some examples of bugs we would consider 'critical': * If you can craft a message that causes a persistent fork in the network. * If you can cause the total amount of Filecoin in the network to no longer be 2 billion. -This is not an exhaustive list, but should provide some idea of what we consider 'critical'. +This is not an exhaustive list, but should provide some idea of what we consider as a security vulnerability, . ## Reporting a non security bug -For non-critical bugs, please simply file a GitHub [issue](https://github.com/filecoin-project/lotus/issues/new?template=bug_report.md). +For non-security bugs, please simply file a GitHub [issue](https://github.com/filecoin-project/lotus/issues/new?template=bug_report.md).