mirror of
https://github.com/monero-project/meta.git
synced 2024-12-22 19:49:23 +00:00
VRP: add section Bounty Distribution
This commit is contained in:
parent
10d7616b90
commit
4d7b2d8629
1 changed files with 14 additions and 3 deletions
|
@ -101,6 +101,7 @@ PGP key fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1
|
||||||
|
|
||||||
2. If the Incident Response process in section III is successfully completed:
|
2. If the Incident Response process in section III is successfully completed:
|
||||||
- a. Response Manager contacts researcher and asks if researcher wishes for credit
|
- a. Response Manager contacts researcher and asks if researcher wishes for credit
|
||||||
|
- i. If bounty is applicable, release bounty to the researcher as defined in secion "Bounty Distribution"
|
||||||
- b. Finalize vulnerability announcement draft and include the following:
|
- b. Finalize vulnerability announcement draft and include the following:
|
||||||
- i. Project name and URL
|
- i. Project name and URL
|
||||||
- ii. Versions known to be affected
|
- ii. Versions known to be affected
|
||||||
|
@ -125,7 +126,17 @@ PGP key fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1
|
||||||
- c. If disputes arise about whether or when to disclose information about a vulnerability, the Response Team will publicly discuss the issue via IRC and attempt to reach consensus
|
- c. If disputes arise about whether or when to disclose information about a vulnerability, the Response Team will publicly discuss the issue via IRC and attempt to reach consensus
|
||||||
- d. If consensus on a timely disclosure is not met (no later than 90 days), the researcher (after 90 days) has every right to expose the vulnerability to the public
|
- d. If consensus on a timely disclosure is not met (no later than 90 days), the researcher (after 90 days) has every right to expose the vulnerability to the public
|
||||||
|
|
||||||
## V. Incident Analysis
|
## V. Bounty Distribution
|
||||||
|
|
||||||
|
- Total availability of XMR bounty can be tracked [here](https://forum.getmonero.org/8/funding-required/87597/monero-bounty-for-hackerone). XMR market values can be found at the various exchanges. See also [Cryptowatch](https://cryptowat.ch/) and [Live Coin Watch](https://www.livecoinwatch.com/).
|
||||||
|
- As reports come in and payouts are made, the total bounty supply shrinks. This gives incentive for bug hunters to report bugs a.s.a.p.
|
||||||
|
- The following percentages apply to available XMR bounty (severity is defined above in section III. 6.):
|
||||||
|
1. 10% reserved for LOW severity bugs
|
||||||
|
2. 30% reserved for MEDIUM severity bugs
|
||||||
|
3. 60% for HIGH severity bugs
|
||||||
|
- Each bug will at most receive 10% of each category. Example: 10% of 60% for a HIGH severity bug.
|
||||||
|
|
||||||
|
## VI. Incident Analysis
|
||||||
|
|
||||||
1. Isolate codebase
|
1. Isolate codebase
|
||||||
- a. Response Team and developers should coordinate to work on the following:
|
- a. Response Team and developers should coordinate to work on the following:
|
||||||
|
@ -141,7 +152,7 @@ PGP key fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1
|
||||||
|
|
||||||
3. Response Team has 45 days following completion of section III to ensure completion of section V
|
3. Response Team has 45 days following completion of section III to ensure completion of section V
|
||||||
|
|
||||||
## VI. Resolutions
|
## VII. Resolutions
|
||||||
|
|
||||||
Any further questions or resolutions regarding the incident(s) between the researcher and response + development team after public disclosure can be addressed via the following:
|
Any further questions or resolutions regarding the incident(s) between the researcher and response + development team after public disclosure can be addressed via the following:
|
||||||
|
|
||||||
|
@ -159,7 +170,7 @@ Any further questions or resolutions regarding the incident(s) between the resea
|
||||||
- [Reddit /r/Kovri](https://reddit.com/r/Kovri/)
|
- [Reddit /r/Kovri](https://reddit.com/r/Kovri/)
|
||||||
- Email
|
- Email
|
||||||
|
|
||||||
## VII. Continuous Improvement
|
## VIII. Continuous Improvement
|
||||||
|
|
||||||
1. Response Team and developers should hold annual meetings to review the previous year's incidents
|
1. Response Team and developers should hold annual meetings to review the previous year's incidents
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue