VRP: add section Bounty Distribution

2024-11-17 08:18:00 +00:00 · 2017-11-29 23:32:08 +00:00 · 2017-11-29 23:32:08 +00:00 · 4d7b2d8629
commit 4d7b2d8629
parent 10d7616b90
1 changed files with 14 additions and 3 deletions
--- a/VULNERABILITY_RESPONSE_PROCESS.md
+++ b/VULNERABILITY_RESPONSE_PROCESS.md
@ -101,6 +101,7 @@ PGP key fingerprint = 1218 6272 CD48 E253 9E2D  D29B 66A7 6ECF 9144 09F1
 2. If the Incident Response process in section III is successfully completed:
    - a. Response Manager contacts researcher and asks if researcher wishes for credit
      - i. If bounty is applicable, release bounty to the researcher as defined in secion "Bounty Distribution"
    - b. Finalize vulnerability announcement draft and include the following:
      - i. Project name and URL
      - ii. Versions known to be affected
@ -125,7 +126,17 @@ PGP key fingerprint = 1218 6272 CD48 E253 9E2D  D29B 66A7 6ECF 9144 09F1
    - c. If disputes arise about whether or when to disclose information about a vulnerability, the Response Team will publicly discuss the issue via IRC and attempt to reach consensus
    - d. If consensus on a timely disclosure is not met (no later than 90 days), the researcher (after 90 days) has every right to expose the vulnerability to the public
-## V. Incident Analysis
+## V. Bounty Distribution
 - Total availability of XMR bounty can be tracked [here](https://forum.getmonero.org/8/funding-required/87597/monero-bounty-for-hackerone). XMR market values can be found at the various exchanges. See also [Cryptowatch](https://cryptowat.ch/) and [Live Coin Watch](https://www.livecoinwatch.com/).
 - As reports come in and payouts are made, the total bounty supply shrinks. This gives incentive for bug hunters to report bugs a.s.a.p.
 - The following percentages apply to available XMR bounty (severity is defined above in section III. 6.):
  1. 10% reserved for LOW severity bugs
  2. 30% reserved for MEDIUM severity bugs
  3. 60% for HIGH severity bugs
 - Each bug will at most receive 10% of each category. Example: 10% of 60% for a HIGH severity bug.
 ## VI. Incident Analysis
 1. Isolate codebase
    - a. Response Team and developers should coordinate to work on the following:
@ -141,7 +152,7 @@ PGP key fingerprint = 1218 6272 CD48 E253 9E2D  D29B 66A7 6ECF 9144 09F1
 3. Response Team has 45 days following completion of section III to ensure completion of section V
-## VI. Resolutions
+## VII. Resolutions
 Any further questions or resolutions regarding the incident(s) between the researcher and response + development team after public disclosure can be addressed via the following:
@ -159,7 +170,7 @@ Any further questions or resolutions regarding the incident(s) between the resea
 - [Reddit /r/Kovri](https://reddit.com/r/Kovri/)
 - Email
-## VII. Continuous Improvement
+## VIII. Continuous Improvement
 1. Response Team and developers should hold annual meetings to review the previous year's incidents