monero-project/meta
monero-project/meta
1
0
Fork 0
mirror of https://github.com/monero-project/meta.git synced 2024-09-29 03:51:08 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

VRP: add section Bounty Distribution

Browse source
This commit is contained in:
anonimal 2017-11-29 23:32:08 +00:00
parent 10d7616b90
commit 4d7b2d8629
No known key found for this signature in database
GPG key ID: 66A76ECF914409F1
1 changed files with 14 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
VULNERABILITY_RESPONSE_PROCESS.md
View file

@ -101,6 +101,7 @@ PGP key fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1
2. If the Incident Response process in section III is successfully completed:
- a. Response Manager contacts researcher and asks if researcher wishes for credit
- i. If bounty is applicable, release bounty to the researcher as defined in secion "Bounty Distribution"
- b. Finalize vulnerability announcement draft and include the following:
- i. Project name and URL
- ii. Versions known to be affected
@ -125,7 +126,17 @@ PGP key fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1
- c. If disputes arise about whether or when to disclose information about a vulnerability, the Response Team will publicly discuss the issue via IRC and attempt to reach consensus
- d. If consensus on a timely disclosure is not met (no later than 90 days), the researcher (after 90 days) has every right to expose the vulnerability to the public
## V. Incident Analysis
## V. Bounty Distribution
- Total availability of XMR bounty can be tracked [here](https://forum.getmonero.org/8/funding-required/87597/monero-bounty-for-hackerone). XMR market values can be found at the various exchanges. See also [Cryptowatch](https://cryptowat.ch/) and [Live Coin Watch](https://www.livecoinwatch.com/).
- As reports come in and payouts are made, the total bounty supply shrinks. This gives incentive for bug hunters to report bugs a.s.a.p.
- The following percentages apply to available XMR bounty (severity is defined above in section III. 6.):
1. 10% reserved for LOW severity bugs
2. 30% reserved for MEDIUM severity bugs
3. 60% for HIGH severity bugs
- Each bug will at most receive 10% of each category. Example: 10% of 60% for a HIGH severity bug.
## VI. Incident Analysis
1. Isolate codebase
- a. Response Team and developers should coordinate to work on the following:
@ -141,7 +152,7 @@ PGP key fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1
3. Response Team has 45 days following completion of section III to ensure completion of section V
## VI. Resolutions
## VII. Resolutions
Any further questions or resolutions regarding the incident(s) between the researcher and response + development team after public disclosure can be addressed via the following:
@ -159,7 +170,7 @@ Any further questions or resolutions regarding the incident(s) between the resea
- [Reddit /r/Kovri](https://reddit.com/r/Kovri/)
- Email
## VII. Continuous Improvement
## VIII. Continuous Improvement
1. Response Team and developers should hold annual meetings to review the previous year's incidents