From 9f147306e4fdc63fb7ca15d4a0dc5a50b5794c7a Mon Sep 17 00:00:00 2001 From: anonimal Date: Thu, 25 Jan 2018 16:27:00 +0000 Subject: [PATCH 1/4] VRP: re-org the preamble, create kovri section --- VULNERABILITY_RESPONSE_PROCESS.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/VULNERABILITY_RESPONSE_PROCESS.md b/VULNERABILITY_RESPONSE_PROCESS.md index 47a3c4f..0ef06a7 100644 --- a/VULNERABILITY_RESPONSE_PROCESS.md +++ b/VULNERABILITY_RESPONSE_PROCESS.md @@ -1,6 +1,6 @@ # The Monero Project Vulnerability Response Process -## Preamble +## Preamble (Monero/Kovri) 1. Researchers/Hackers: while you research/hack, we ask that you please refrain from committing the following: - Denial of Service / Active exploiting against the Monero/Kovri networks @@ -9,11 +9,12 @@ 2. As a pro-privacy project we have volunteers running copies of the websites on hidden services on Tor and I2P, as well as on multiple public domains. **The live sites are NOT in the scope of this process; only the code is!** -3. While **Kovri** is in a pre-Alpha release state, HackerOne should not be used for disclosure. All **Kovri** issues should be directed to [GitHub](https://github.com/monero-project/kovri) +3. Bounty will be released for all projects in Monero XMR only. For more information on how to use Monero, visit the [Monero website](https://getmonero.org) -4. Bounty will be released for all projects in Monero XMR only. For more information on how to use Monero, visit the [Monero website](https://getmonero.org) +## Preamble (Kovri) -5. Bounty will not be available for **Kovri** until **Kovri Beta** is released +1. While Kovri is in a pre-Alpha release state, do not use HackerOne for disclosure. All Kovri issues MUST be directed to either [GitHub](https://github.com/monero-project/kovri) or Email +2. Bounty will not be available for Kovri until **Kovri Beta** is released ## I. Points of contact for security issues From 7f4975e801fc2cccf4a8356d17cf512f53759096 Mon Sep 17 00:00:00 2001 From: anonimal Date: Thu, 25 Jan 2018 17:37:08 +0000 Subject: [PATCH 2/4] VRP: formatting fix to preamble --- VULNERABILITY_RESPONSE_PROCESS.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/VULNERABILITY_RESPONSE_PROCESS.md b/VULNERABILITY_RESPONSE_PROCESS.md index 0ef06a7..f76f747 100644 --- a/VULNERABILITY_RESPONSE_PROCESS.md +++ b/VULNERABILITY_RESPONSE_PROCESS.md @@ -3,9 +3,9 @@ ## Preamble (Monero/Kovri) 1. Researchers/Hackers: while you research/hack, we ask that you please refrain from committing the following: -- Denial of Service / Active exploiting against the Monero/Kovri networks -- Social Engineering of Monero/Kovri Project staff or contractors -- Any physical or electronic attempts against Monero/Kovri community property and/or data centers + - Denial of Service / Active exploiting against the Monero/Kovri networks + - Social Engineering of Monero/Kovri Project staff or contractors + - Any physical or electronic attempts against Monero/Kovri community property and/or data centers 2. As a pro-privacy project we have volunteers running copies of the websites on hidden services on Tor and I2P, as well as on multiple public domains. **The live sites are NOT in the scope of this process; only the code is!** From 5a39ee599172819ffa94af8895d1e17b708d41c0 Mon Sep 17 00:00:00 2001 From: anonimal Date: Thu, 25 Jan 2018 17:40:58 +0000 Subject: [PATCH 3/4] VRP: specify that PGP key is a PGP key in preamble --- VULNERABILITY_RESPONSE_PROCESS.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/VULNERABILITY_RESPONSE_PROCESS.md b/VULNERABILITY_RESPONSE_PROCESS.md index f76f747..49ece7d 100644 --- a/VULNERABILITY_RESPONSE_PROCESS.md +++ b/VULNERABILITY_RESPONSE_PROCESS.md @@ -22,17 +22,17 @@ ``` ric [at] getmonero.org -BDA6 BD70 42B7 21C4 67A9 759D 7455 C5E3 C0CD CEB9 +PGP fingerprint = BDA6 BD70 42B7 21C4 67A9 759D 7455 C5E3 C0CD CEB9 luigi1111 [at] getmonero.org -8777 AB8F 778E E894 87A2 F8E7 F4AC A018 3641 E010 +PGP fingerprint = 8777 AB8F 778E E894 87A2 F8E7 F4AC A018 3641 E010 ``` ### Monero (CLI/GUI) ``` moneromooo.monero [at] gmail.com -48B0 8161 FBDA DFE3 93AD FC3E 686F 0745 4D6C EFC3 +PGP fingerprint = 48B0 8161 FBDA DFE3 93AD FC3E 686F 0745 4D6C EFC3 ``` ### Kovri (CLI/Website) @@ -40,7 +40,7 @@ moneromooo.monero [at] gmail.com ``` anonimal [at] i2pmail.org anonimal [at] mail.i2p -PGP key fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1 +PGP fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1 ``` ## II. Security response team From f01d36de29e94b9d5d3eac8bb9c7d42a34de3515 Mon Sep 17 00:00:00 2001 From: anonimal Date: Thu, 25 Jan 2018 17:48:39 +0000 Subject: [PATCH 4/4] VRP: clarify that both code *and* research are applicable --- VULNERABILITY_RESPONSE_PROCESS.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/VULNERABILITY_RESPONSE_PROCESS.md b/VULNERABILITY_RESPONSE_PROCESS.md index 49ece7d..cfbdd4e 100644 --- a/VULNERABILITY_RESPONSE_PROCESS.md +++ b/VULNERABILITY_RESPONSE_PROCESS.md @@ -2,14 +2,18 @@ ## Preamble (Monero/Kovri) -1. Researchers/Hackers: while you research/hack, we ask that you please refrain from committing the following: +1. This Vulnerability Response Process and subsequent bounty reward apply to the following: + - Code implementation as seen in the Monero Project GitHub repositories + - Written research from the Monero Research Lab which dictates said code implementation + +2. Researchers/Hackers: while you research/hack, we ask that you please refrain from committing the following: - Denial of Service / Active exploiting against the Monero/Kovri networks - Social Engineering of Monero/Kovri Project staff or contractors - Any physical or electronic attempts against Monero/Kovri community property and/or data centers -2. As a pro-privacy project we have volunteers running copies of the websites on hidden services on Tor and I2P, as well as on multiple public domains. **The live sites are NOT in the scope of this process; only the code is!** +3. As a pro-privacy project we have volunteers running copies of the websites on hidden services on Tor and I2P, as well as on multiple public domains. **The live sites are NOT in the scope of this process; only the code is!** -3. Bounty will be released for all projects in Monero XMR only. For more information on how to use Monero, visit the [Monero website](https://getmonero.org) +4. Bounty will be released for all projects in Monero XMR only. For more information on how to use Monero, visit the [Monero website](https://getmonero.org) ## Preamble (Kovri)