SECURITY.md: add clarification on binary exploitation

This commit is contained in:
tobtoht 2024-10-08 19:15:55 +02:00
parent c600e4d376
commit 130432fd23
No known key found for this signature in database
GPG key ID: E45B10DD027D2472

View file

@ -35,6 +35,7 @@ Clarifications on scope:
- Any form of coercion, physical or psychological, is out of scope. - Any form of coercion, physical or psychological, is out of scope.
- Vulnerabilities that are attributable to hardware are out of scope. - Vulnerabilities that are attributable to hardware are out of scope.
- If the issue was fixed in the `master` branch before we receive your report, it is invalid and not eligible for a bounty from this program. - If the issue was fixed in the `master` branch before we receive your report, it is invalid and not eligible for a bounty from this program.
- If the vulnerability involves binary exploitation, we may ask you to provide a proof of concept of secret key exfiltration.
- Vulnerabilities that are present in the monero submodule but were not introduced in patches made by the Feather developers must - Vulnerabilities that are present in the monero submodule but were not introduced in patches made by the Feather developers must
be reported [upstream](https://github.com/monero-project/meta/blob/master/VULNERABILITY_RESPONSE_PROCESS.md) and are not eligible for a bounty from this program. be reported [upstream](https://github.com/monero-project/meta/blob/master/VULNERABILITY_RESPONSE_PROCESS.md) and are not eligible for a bounty from this program.
- Vulnerabilities that are present in any of our third-party dependencies must be reported upstream and are not eligible for a bounty from this program. - Vulnerabilities that are present in any of our third-party dependencies must be reported upstream and are not eligible for a bounty from this program.