Merge pull request #142 from anonimal/VRP

VRP: various additions
This commit is contained in:
luigi1111 2017-12-04 22:39:03 -06:00 committed by GitHub
commit bf88b47a7b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -9,6 +9,12 @@
2. As a pro-privacy project we have volunteers running copies of the websites on hidden services on Tor and I2P, as well as on multiple public domains. **The live sites are NOT in the scope of this process; only the code is!** 2. As a pro-privacy project we have volunteers running copies of the websites on hidden services on Tor and I2P, as well as on multiple public domains. **The live sites are NOT in the scope of this process; only the code is!**
3. While **Kovri** is in a pre-Alpha release state, HackerOne should not be used for disclosure. All **Kovri** issues should be directed to [GitHub](https://github.com/monero-project/kovri)
4. Bounty will be released for all projects in Monero XMR only. For more information on how to use Monero, visit the [Monero website](https://getmonero.org)
5. Bounty will not be available for **Kovri** until **Kovri Beta** is released
## I. Points of Contact for Security Issues ## I. Points of Contact for Security Issues
### Monero (CLI/GUI/Website) ### Monero (CLI/GUI/Website)
@ -54,7 +60,7 @@ PGP key fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1
3. In no more than 3 working days, Response Team should gratefully respond to researcher using only encrypted, secure channels 3. In no more than 3 working days, Response Team should gratefully respond to researcher using only encrypted, secure channels
4. Response Manager makes inquiries to satisfy any needed information to confirm if submission is indeed a vulnerability 4. Response Manager makes inquiries to satisfy any needed information to confirm if submission is indeed a vulnerability
- a. If submission proves to be vulnerable, proceed to next step - a. If submission proves to be vulnerable with PoC code / exploit, proceed to next step
- b. If not vulnerable: - b. If not vulnerable:
- i. Response Manager responds with reasons why submission is not a vulnerability - i. Response Manager responds with reasons why submission is not a vulnerability
- ii. Response Manager moves discussion to a new or existing ticket on GitHub if necessary - ii. Response Manager moves discussion to a new or existing ticket on GitHub if necessary
@ -65,6 +71,7 @@ PGP key fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1
- a. HIGH: impacts network as a whole, has potential to break entire monero/kovri network, results in the loss of monero, or is on a scale of great catastrophe - a. HIGH: impacts network as a whole, has potential to break entire monero/kovri network, results in the loss of monero, or is on a scale of great catastrophe
- b. MEDIUM: impacts individual nodes, routers, wallets, or must be carefully exploited - b. MEDIUM: impacts individual nodes, routers, wallets, or must be carefully exploited
- c. LOW: is not easily exploitable - c. LOW: is not easily exploitable
- d. If there are any disputes regarding bug severity, the Monero Response team will ultimately define bug severity
7. Respond according to the severity of the vulnerability: 7. Respond according to the severity of the vulnerability:
- a. HIGH severities must be notified on website and reddit /r/Monero (/r/Kovri for kovri) within 3 working days of classification - a. HIGH severities must be notified on website and reddit /r/Monero (/r/Kovri for kovri) within 3 working days of classification
@ -95,6 +102,7 @@ PGP key fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1
2. If the Incident Response process in section III is successfully completed: 2. If the Incident Response process in section III is successfully completed:
- a. Response Manager contacts researcher and asks if researcher wishes for credit - a. Response Manager contacts researcher and asks if researcher wishes for credit
- i. If bounty is applicable, release bounty to the researcher as defined in secion "Bounty Distribution"
- b. Finalize vulnerability announcement draft and include the following: - b. Finalize vulnerability announcement draft and include the following:
- i. Project name and URL - i. Project name and URL
- ii. Versions known to be affected - ii. Versions known to be affected
@ -119,7 +127,17 @@ PGP key fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1
- c. If disputes arise about whether or when to disclose information about a vulnerability, the Response Team will publicly discuss the issue via IRC and attempt to reach consensus - c. If disputes arise about whether or when to disclose information about a vulnerability, the Response Team will publicly discuss the issue via IRC and attempt to reach consensus
- d. If consensus on a timely disclosure is not met (no later than 90 days), the researcher (after 90 days) has every right to expose the vulnerability to the public - d. If consensus on a timely disclosure is not met (no later than 90 days), the researcher (after 90 days) has every right to expose the vulnerability to the public
## V. Incident Analysis ## V. Bounty Distribution
- Total availability of XMR bounty can be tracked [here](https://forum.getmonero.org/8/funding-required/87597/monero-bounty-for-hackerone). XMR market values can be found at the various exchanges. See also [Cryptowatch](https://cryptowat.ch/) and [Live Coin Watch](https://www.livecoinwatch.com/).
- As reports come in and payouts are made, the total bounty supply shrinks. This gives incentive for bug hunters to report bugs a.s.a.p.
- The following percentages apply to available XMR bounty (severity is defined above in section III. 6.):
1. 10% reserved for LOW severity bugs
2. 30% reserved for MEDIUM severity bugs
3. 60% for HIGH severity bugs
- Each bug will at most receive 10% of each category. Example: 10% of 60% for a HIGH severity bug.
## VI. Incident Analysis
1. Isolate codebase 1. Isolate codebase
- a. Response Team and developers should coordinate to work on the following: - a. Response Team and developers should coordinate to work on the following:
@ -135,7 +153,7 @@ PGP key fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1
3. Response Team has 45 days following completion of section III to ensure completion of section V 3. Response Team has 45 days following completion of section III to ensure completion of section V
## VI. Resolutions ## VII. Resolutions
Any further questions or resolutions regarding the incident(s) between the researcher and response + development team after public disclosure can be addressed via the following: Any further questions or resolutions regarding the incident(s) between the researcher and response + development team after public disclosure can be addressed via the following:
@ -153,7 +171,7 @@ Any further questions or resolutions regarding the incident(s) between the resea
- [Reddit /r/Kovri](https://reddit.com/r/Kovri/) - [Reddit /r/Kovri](https://reddit.com/r/Kovri/)
- Email - Email
## VII. Continuous Improvement ## VIII. Continuous Improvement
1. Response Team and developers should hold annual meetings to review the previous year's incidents 1. Response Team and developers should hold annual meetings to review the previous year's incidents