monero-project/meta
monero-project/meta
1
0
Fork 0
mirror of https://github.com/monero-project/meta.git synced 2024-11-16 15:58:14 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

VRP: remove Kovri + update points of contact

Browse source
This commit is contained in:
anonimal 2020-01-17 22:15:58 +00:00
parent ea44bed832
commit 1cadbcdcd7
No known key found for this signature in database
GPG key ID: 66A76ECF914409F1
1 changed files with 12 additions and 31 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

43
VULNERABILITY_RESPONSE_PROCESS.md
View file

@ -1,6 +1,6 @@
# The Monero Project Vulnerability Response Process
## Preamble (Monero/Kovri)
## Preamble
1. This Vulnerability Response Process and subsequent bounty reward apply to the following:
- Code implementation as seen in the Monero Project GitHub repositories
@ -8,9 +8,9 @@
- Written research from the Monero Research Lab which dictates said code implementation
2. Researchers/Hackers: while you research/hack, we ask that you please refrain from committing the following:
- Denial of Service / Active exploiting against the Monero/Kovri networks
- Social Engineering of Monero/Kovri Project staff or contractors
- Any physical or electronic attempts against Monero/Kovri community property and/or data centers
- Denial of Service / Active exploiting against the Monero networks
- Social Engineering of Monero Project staff or contractors
- Any physical or electronic attempts against Monero community property and/or data centers
3. As a pro-privacy project we have volunteers running copies of the websites on hidden services on Tor and I2P, as well as on multiple public domains. **The live sites are NOT in the scope of this process; only the code is!**
@ -20,30 +20,22 @@
- do not abide by the VRP for responsible disclosure
- do not allow the completion of VRP points I through IV
## Preamble (Monero)
1. Attacks which require more than 50% of the network hash rate to execute are out of policy scope
## Preamble (Kovri)
1. While Kovri is in a pre-Beta release state, do not use HackerOne for disclosure. All Kovri issues MUST be directed to either [GitHub](https://github.com/monero-project/kovri) or Email
2. Bounty will not be available for Kovri until **Kovri Beta** is released
6. Attacks which require more than 50% of the network hash rate to execute are out of policy scope
## I. Points of contact for security issues
### Monero (CLI/GUI/website)
**Please, CC all points of contact if you decide to use email instead of HackerOne**
```
anonimal [at] getmonero.org
PGP fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1
ric [at] getmonero.org
PGP fingerprint = BDA6 BD70 42B7 21C4 67A9 759D 7455 C5E3 C0CD CEB9
luigi1111 [at] getmonero.org
PGP fingerprint = 8777 AB8F 778E E894 87A2 F8E7 F4AC A018 3641 E010
```
### Monero (CLI/GUI)
```
moneromooo on Freenode
PGP fingerprint = 48B0 8161 FBDA DFE3 93AD FC3E 686F 0745 4D6C EFC3
If pasting GPG encrypted data, use fpaste.org or pastebin.mozilla.org
@ -51,19 +43,12 @@ or paste.debian.net as these don't blackball Tor via Cloudflare.
OTR: 6C7966BB 72E42F33 E1A3F137 2133AC39 D343514A
```
### Kovri (CLI/Website)
```
anonimal [at] getmonero.org
PGP fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1
```
## II. Security response team
- anonimal
- fluffypony
- luigi1111
- moneromooo
- anonimal
## III. Incident response
@ -85,7 +70,7 @@ PGP fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1
6. Define severity:
- a. Establish severity of vulnerability:
- i. HIGH: impacts network as a whole, has potential to break entire monero/kovri network, results in the loss of monero, or is on a scale of great catastrophe
- i. HIGH: impacts network as a whole, has potential to break entire monero network, results in the loss of monero, or is on a scale of great catastrophe
- ii. MEDIUM: impacts individual nodes, routers, wallets, or must be carefully exploited
- iii. LOW: is not easily exploitable or is low impact
- b. If there are any disputes regarding bug severity, the Monero Response team will ultimately define bug severity
@ -177,16 +162,12 @@ Any further questions or resolutions regarding the incident(s) between the resea
- IRC on Freenode
- `#monero-dev`
- `#kovri-dev`
- [GitHub](https://github.com/monero-project/monero/issues/)
- [Monero (CLI)](https://github.com/monero-project/monero/issues/)
- [Monero (GUI)](https://github.com/monero-project/monero-core/issues/)
- [Monero (Website)](https://github.com/monero-project/monero-site/issues/)
- [Kovri](https://github.com/monero-project/kovri/issues/)
- [Kovri (Website)](https://github.com/monero-project/kovri-site/issues/)
- [HackerOne](https://hackerone.com/monero)
- [Reddit /r/Monero](https://reddit.com/r/Monero/)
- [Reddit /r/Kovri](https://reddit.com/r/Kovri/)
- Email
## VIII. Continuous improvement
@ -194,7 +175,7 @@ Any further questions or resolutions regarding the incident(s) between the resea
1. Response Team and developers should hold annual meetings to review the previous year's incidents
2. Response Team or designated person(s) should give a brief presentation, including:
- a. Areas of Monero/Kovri affected by the incidents
- a. Areas of Monero affected by the incidents
- b. Any network downtime or monetary cost (if any) of the incidents
- c. Ways in which the incidents could have been avoided (if any)
- d. How effective this process was in dealing with the incidents