diff --git a/VULNERABILITY_RESPONSE_PROCESS.md b/VULNERABILITY_RESPONSE_PROCESS.md index d32f2f1..8232ed8 100644 --- a/VULNERABILITY_RESPONSE_PROCESS.md +++ b/VULNERABILITY_RESPONSE_PROCESS.md @@ -83,11 +83,13 @@ PGP fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1 5. If over email, Response Manager opens a HackerOne issue for new submission -6. Establish severity of vulnerability: - - a. HIGH: impacts network as a whole, has potential to break entire monero/kovri network, results in the loss of monero, or is on a scale of great catastrophe - - b. MEDIUM: impacts individual nodes, routers, wallets, or must be carefully exploited - - c. LOW: is not easily exploitable or is low impact - - d. If there are any disputes regarding bug severity, the Monero Response team will ultimately define bug severity +6. Define severity: + - a. Establish severity of vulnerability: + - i. HIGH: impacts network as a whole, has potential to break entire monero/kovri network, results in the loss of monero, or is on a scale of great catastrophe + - ii. MEDIUM: impacts individual nodes, routers, wallets, or must be carefully exploited + - iii. LOW: is not easily exploitable or is low impact + - b. If there are any disputes regarding bug severity, the Monero Response team will ultimately define bug severity + - c. Since a systematic DoS hunt has not been completed on any code, DoS's which do not crash a node remotely will receive a lower bounty reward 7. Respond according to the severity of the vulnerability: - a. HIGH severities must be notified on website and reddit /r/Monero (/r/Kovri for kovri) within 3 working days of classification