From 10d7616b90319d606e86b0d914d82028e3521279 Mon Sep 17 00:00:00 2001 From: anonimal Date: Wed, 29 Nov 2017 07:39:47 +0000 Subject: [PATCH 1/4] VRP: add new caveats to Preamble --- VULNERABILITY_RESPONSE_PROCESS.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/VULNERABILITY_RESPONSE_PROCESS.md b/VULNERABILITY_RESPONSE_PROCESS.md index 779d0c8..bc97990 100644 --- a/VULNERABILITY_RESPONSE_PROCESS.md +++ b/VULNERABILITY_RESPONSE_PROCESS.md @@ -9,6 +9,12 @@ 2. As a pro-privacy project we have volunteers running copies of the websites on hidden services on Tor and I2P, as well as on multiple public domains. **The live sites are NOT in the scope of this process; only the code is!** +3. While **Kovri** is in a pre-Alpha release state, HackerOne should not be used for disclosure. All **Kovri** issues should be directed to [GitHub](https://github.com/monero-project/kovri) + +4. Bounty will be released for all projects in Monero XMR only. For more information on how to use Monero, visit the [Monero website](https://getmonero.org) + +5. Bounty will not be available for **Kovri** until **Kovri Beta** is released + ## I. Points of Contact for Security Issues ### Monero (CLI/GUI/Website) From 4d7b2d86299d3e69ca5e1adb193ae6f0e4f72230 Mon Sep 17 00:00:00 2001 From: anonimal Date: Wed, 29 Nov 2017 23:32:08 +0000 Subject: [PATCH 2/4] VRP: add section Bounty Distribution --- VULNERABILITY_RESPONSE_PROCESS.md | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/VULNERABILITY_RESPONSE_PROCESS.md b/VULNERABILITY_RESPONSE_PROCESS.md index bc97990..2eb8568 100644 --- a/VULNERABILITY_RESPONSE_PROCESS.md +++ b/VULNERABILITY_RESPONSE_PROCESS.md @@ -101,6 +101,7 @@ PGP key fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1 2. If the Incident Response process in section III is successfully completed: - a. Response Manager contacts researcher and asks if researcher wishes for credit + - i. If bounty is applicable, release bounty to the researcher as defined in secion "Bounty Distribution" - b. Finalize vulnerability announcement draft and include the following: - i. Project name and URL - ii. Versions known to be affected @@ -125,7 +126,17 @@ PGP key fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1 - c. If disputes arise about whether or when to disclose information about a vulnerability, the Response Team will publicly discuss the issue via IRC and attempt to reach consensus - d. If consensus on a timely disclosure is not met (no later than 90 days), the researcher (after 90 days) has every right to expose the vulnerability to the public -## V. Incident Analysis +## V. Bounty Distribution + +- Total availability of XMR bounty can be tracked [here](https://forum.getmonero.org/8/funding-required/87597/monero-bounty-for-hackerone). XMR market values can be found at the various exchanges. See also [Cryptowatch](https://cryptowat.ch/) and [Live Coin Watch](https://www.livecoinwatch.com/). +- As reports come in and payouts are made, the total bounty supply shrinks. This gives incentive for bug hunters to report bugs a.s.a.p. +- The following percentages apply to available XMR bounty (severity is defined above in section III. 6.): + 1. 10% reserved for LOW severity bugs + 2. 30% reserved for MEDIUM severity bugs + 3. 60% for HIGH severity bugs +- Each bug will at most receive 10% of each category. Example: 10% of 60% for a HIGH severity bug. + +## VI. Incident Analysis 1. Isolate codebase - a. Response Team and developers should coordinate to work on the following: @@ -141,7 +152,7 @@ PGP key fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1 3. Response Team has 45 days following completion of section III to ensure completion of section V -## VI. Resolutions +## VII. Resolutions Any further questions or resolutions regarding the incident(s) between the researcher and response + development team after public disclosure can be addressed via the following: @@ -159,7 +170,7 @@ Any further questions or resolutions regarding the incident(s) between the resea - [Reddit /r/Kovri](https://reddit.com/r/Kovri/) - Email -## VII. Continuous Improvement +## VIII. Continuous Improvement 1. Response Team and developers should hold annual meetings to review the previous year's incidents From 93abfa7280325527d90fdec19bcc4baac793cdc0 Mon Sep 17 00:00:00 2001 From: anonimal Date: Thu, 30 Nov 2017 00:05:08 +0000 Subject: [PATCH 3/4] VRP: add new line for defining bug severity --- VULNERABILITY_RESPONSE_PROCESS.md | 1 + 1 file changed, 1 insertion(+) diff --git a/VULNERABILITY_RESPONSE_PROCESS.md b/VULNERABILITY_RESPONSE_PROCESS.md index 2eb8568..39e5e02 100644 --- a/VULNERABILITY_RESPONSE_PROCESS.md +++ b/VULNERABILITY_RESPONSE_PROCESS.md @@ -71,6 +71,7 @@ PGP key fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1 - a. HIGH: impacts network as a whole, has potential to break entire monero/kovri network, results in the loss of monero, or is on a scale of great catastrophe - b. MEDIUM: impacts individual nodes, routers, wallets, or must be carefully exploited - c. LOW: is not easily exploitable + - d. If there are any disputes regarding bug severity, the Monero Response team will ultimately define bug severity 7. Respond according to the severity of the vulnerability: - a. HIGH severities must be notified on website and reddit /r/Monero (/r/Kovri for kovri) within 3 working days of classification From 611f2461a646c0ccf3b5699c2304970ab0064ff4 Mon Sep 17 00:00:00 2001 From: anonimal Date: Sat, 2 Dec 2017 00:32:57 +0000 Subject: [PATCH 4/4] VRP: clarify PoC submission requirement --- VULNERABILITY_RESPONSE_PROCESS.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VULNERABILITY_RESPONSE_PROCESS.md b/VULNERABILITY_RESPONSE_PROCESS.md index 39e5e02..3d1106a 100644 --- a/VULNERABILITY_RESPONSE_PROCESS.md +++ b/VULNERABILITY_RESPONSE_PROCESS.md @@ -60,7 +60,7 @@ PGP key fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1 3. In no more than 3 working days, Response Team should gratefully respond to researcher using only encrypted, secure channels 4. Response Manager makes inquiries to satisfy any needed information to confirm if submission is indeed a vulnerability - - a. If submission proves to be vulnerable, proceed to next step + - a. If submission proves to be vulnerable with PoC code / exploit, proceed to next step - b. If not vulnerable: - i. Response Manager responds with reasons why submission is not a vulnerability - ii. Response Manager moves discussion to a new or existing ticket on GitHub if necessary