monero-project/meta
monero-project/meta
1
0
Fork 0
mirror of https://github.com/monero-project/meta.git synced 2024-12-22 19:49:23 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #176 from anonimal/VRP

Browse source 
VRP: updates to incident response + post-release disclosure process
This commit is contained in:
luigi1111 2018-03-09 14:13:05 -05:00 committed by GitHub
commit ab77989329
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
VULNERABILITY_RESPONSE_PROCESS.md
View file

@ -75,7 +75,7 @@ PGP fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1
6. Establish severity of vulnerability: 6. Establish severity of vulnerability:
- a. HIGH: impacts network as a whole, has potential to break entire monero/kovri network, results in the loss of monero, or is on a scale of great catastrophe - a. HIGH: impacts network as a whole, has potential to break entire monero/kovri network, results in the loss of monero, or is on a scale of great catastrophe
- b. MEDIUM: impacts individual nodes, routers, wallets, or must be carefully exploited - b. MEDIUM: impacts individual nodes, routers, wallets, or must be carefully exploited
- c. LOW: is not easily exploitable - c. LOW: is not easily exploitable or is low impact
- d. If there are any disputes regarding bug severity, the Monero Response team will ultimately define bug severity - d. If there are any disputes regarding bug severity, the Monero Response team will ultimately define bug severity
7. Respond according to the severity of the vulnerability: 7. Respond according to the severity of the vulnerability:
@ -106,7 +106,7 @@ PGP fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1
1. Response Team has 90 days to fulfill all points within section III 1. Response Team has 90 days to fulfill all points within section III
2. If the Incident Response process in section III is successfully completed: 2. If the Incident Response process in section III is successfully completed:
- a. Response Manager contacts researcher and asks if researcher wishes for credit - a. Researcher decides whether or not to opt out of receiving name/handle/organization credit. By default, the researcher will receive name/handle/organization credit.
- i. If bounty is applicable, release bounty to the researcher as defined in section "Bounty Distribution" - i. If bounty is applicable, release bounty to the researcher as defined in section "Bounty Distribution"
- b. Finalize vulnerability announcement draft and include the following: - b. Finalize vulnerability announcement draft and include the following:
- i. Project name and URL - i. Project name and URL