monero-project/meta
monero-project/meta
1
0
Fork 0
mirror of https://github.com/monero-project/meta.git synced 2024-12-22 19:49:23 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #147 from xmr-eric/patch-1

Browse source 
VULNERABILITY_RESPONSE_PROCESS.md: Better headings
This commit is contained in:
luigi1111 2017-12-07 01:51:10 -06:00 committed by GitHub
commit a68604c76d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 9 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
VULNERABILITY_RESPONSE_PROCESS.md
View file

@ -15,9 +15,9 @@
5. Bounty will not be available for **Kovri** until **Kovri Beta** is released 5. Bounty will not be available for **Kovri** until **Kovri Beta** is released
## I. Points of Contact for Security Issues ## I. Points of contact for security issues
### Monero (CLI/GUI/Website) ### Monero (CLI/GUI/website)
``` ```
ric [at] getmonero.org ric [at] getmonero.org
@ -42,14 +42,14 @@ anonimal [at] mail.i2p
PGP key fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1 PGP key fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1
``` ```
## II. Security Response Team ## II. Security response team
- fluffypony - fluffypony
- luigi1111 - luigi1111
- moneromooo - moneromooo
- anonimal - anonimal
## III. Incident Response ## III. Incident response
1. Researcher submits report via one or both of two methods: 1. Researcher submits report via one or both of two methods:
- a. Email - a. Email
@ -96,13 +96,13 @@ PGP key fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1
- b. Response Manager includes vulnerability announcement draft in release notes - b. Response Manager includes vulnerability announcement draft in release notes
- c. Proceed with the Point or Regular Release - c. Proceed with the Point or Regular Release
## IV. Post-release Disclosure Process ## IV. Post-release disclosure process
1. Response Team has 90 days to fulfill all points within section III 1. Response Team has 90 days to fulfill all points within section III
2. If the Incident Response process in section III is successfully completed: 2. If the Incident Response process in section III is successfully completed:
- a. Response Manager contacts researcher and asks if researcher wishes for credit - a. Response Manager contacts researcher and asks if researcher wishes for credit
- i. If bounty is applicable, release bounty to the researcher as defined in secion "Bounty Distribution" - i. If bounty is applicable, release bounty to the researcher as defined in section "Bounty Distribution"
- b. Finalize vulnerability announcement draft and include the following: - b. Finalize vulnerability announcement draft and include the following:
- i. Project name and URL - i. Project name and URL
- ii. Versions known to be affected - ii. Versions known to be affected
@ -127,7 +127,7 @@ PGP key fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1
- c. If disputes arise about whether or when to disclose information about a vulnerability, the Response Team will publicly discuss the issue via IRC and attempt to reach consensus - c. If disputes arise about whether or when to disclose information about a vulnerability, the Response Team will publicly discuss the issue via IRC and attempt to reach consensus
- d. If consensus on a timely disclosure is not met (no later than 90 days), the researcher (after 90 days) has every right to expose the vulnerability to the public - d. If consensus on a timely disclosure is not met (no later than 90 days), the researcher (after 90 days) has every right to expose the vulnerability to the public
## V. Bounty Distribution ## V. Bounty distribution
- Total availability of XMR bounty can be tracked [here](https://forum.getmonero.org/8/funding-required/87597/monero-bounty-for-hackerone). XMR market values can be found at the various exchanges. See also [Cryptowatch](https://cryptowat.ch/) and [Live Coin Watch](https://www.livecoinwatch.com/). - Total availability of XMR bounty can be tracked [here](https://forum.getmonero.org/8/funding-required/87597/monero-bounty-for-hackerone). XMR market values can be found at the various exchanges. See also [Cryptowatch](https://cryptowat.ch/) and [Live Coin Watch](https://www.livecoinwatch.com/).
- As reports come in and payouts are made, the total bounty supply shrinks. This gives incentive for bug hunters to report bugs a.s.a.p. - As reports come in and payouts are made, the total bounty supply shrinks. This gives incentive for bug hunters to report bugs a.s.a.p.
@ -137,7 +137,7 @@ PGP key fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1
3. 60% for HIGH severity bugs 3. 60% for HIGH severity bugs
- Each bug will at most receive 10% of each category. Example: 10% of 60% for a HIGH severity bug. - Each bug will at most receive 10% of each category. Example: 10% of 60% for a HIGH severity bug.
## VI. Incident Analysis ## VI. Incident analysis
1. Isolate codebase 1. Isolate codebase
- a. Response Team and developers should coordinate to work on the following: - a. Response Team and developers should coordinate to work on the following:
@ -171,7 +171,7 @@ Any further questions or resolutions regarding the incident(s) between the resea
- [Reddit /r/Kovri](https://reddit.com/r/Kovri/) - [Reddit /r/Kovri](https://reddit.com/r/Kovri/)
- Email - Email
## VIII. Continuous Improvement ## VIII. Continuous improvement
1. Response Team and developers should hold annual meetings to review the previous year's incidents 1. Response Team and developers should hold annual meetings to review the previous year's incidents