mirror of
https://github.com/monero-project/meta.git
synced 2024-12-23 03:59:24 +00:00
commit
bf88b47a7b
1 changed files with 22 additions and 4 deletions
|
@ -9,6 +9,12 @@
|
||||||
|
|
||||||
2. As a pro-privacy project we have volunteers running copies of the websites on hidden services on Tor and I2P, as well as on multiple public domains. **The live sites are NOT in the scope of this process; only the code is!**
|
2. As a pro-privacy project we have volunteers running copies of the websites on hidden services on Tor and I2P, as well as on multiple public domains. **The live sites are NOT in the scope of this process; only the code is!**
|
||||||
|
|
||||||
|
3. While **Kovri** is in a pre-Alpha release state, HackerOne should not be used for disclosure. All **Kovri** issues should be directed to [GitHub](https://github.com/monero-project/kovri)
|
||||||
|
|
||||||
|
4. Bounty will be released for all projects in Monero XMR only. For more information on how to use Monero, visit the [Monero website](https://getmonero.org)
|
||||||
|
|
||||||
|
5. Bounty will not be available for **Kovri** until **Kovri Beta** is released
|
||||||
|
|
||||||
## I. Points of Contact for Security Issues
|
## I. Points of Contact for Security Issues
|
||||||
|
|
||||||
### Monero (CLI/GUI/Website)
|
### Monero (CLI/GUI/Website)
|
||||||
|
@ -54,7 +60,7 @@ PGP key fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1
|
||||||
3. In no more than 3 working days, Response Team should gratefully respond to researcher using only encrypted, secure channels
|
3. In no more than 3 working days, Response Team should gratefully respond to researcher using only encrypted, secure channels
|
||||||
|
|
||||||
4. Response Manager makes inquiries to satisfy any needed information to confirm if submission is indeed a vulnerability
|
4. Response Manager makes inquiries to satisfy any needed information to confirm if submission is indeed a vulnerability
|
||||||
- a. If submission proves to be vulnerable, proceed to next step
|
- a. If submission proves to be vulnerable with PoC code / exploit, proceed to next step
|
||||||
- b. If not vulnerable:
|
- b. If not vulnerable:
|
||||||
- i. Response Manager responds with reasons why submission is not a vulnerability
|
- i. Response Manager responds with reasons why submission is not a vulnerability
|
||||||
- ii. Response Manager moves discussion to a new or existing ticket on GitHub if necessary
|
- ii. Response Manager moves discussion to a new or existing ticket on GitHub if necessary
|
||||||
|
@ -65,6 +71,7 @@ PGP key fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1
|
||||||
- a. HIGH: impacts network as a whole, has potential to break entire monero/kovri network, results in the loss of monero, or is on a scale of great catastrophe
|
- a. HIGH: impacts network as a whole, has potential to break entire monero/kovri network, results in the loss of monero, or is on a scale of great catastrophe
|
||||||
- b. MEDIUM: impacts individual nodes, routers, wallets, or must be carefully exploited
|
- b. MEDIUM: impacts individual nodes, routers, wallets, or must be carefully exploited
|
||||||
- c. LOW: is not easily exploitable
|
- c. LOW: is not easily exploitable
|
||||||
|
- d. If there are any disputes regarding bug severity, the Monero Response team will ultimately define bug severity
|
||||||
|
|
||||||
7. Respond according to the severity of the vulnerability:
|
7. Respond according to the severity of the vulnerability:
|
||||||
- a. HIGH severities must be notified on website and reddit /r/Monero (/r/Kovri for kovri) within 3 working days of classification
|
- a. HIGH severities must be notified on website and reddit /r/Monero (/r/Kovri for kovri) within 3 working days of classification
|
||||||
|
@ -95,6 +102,7 @@ PGP key fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1
|
||||||
|
|
||||||
2. If the Incident Response process in section III is successfully completed:
|
2. If the Incident Response process in section III is successfully completed:
|
||||||
- a. Response Manager contacts researcher and asks if researcher wishes for credit
|
- a. Response Manager contacts researcher and asks if researcher wishes for credit
|
||||||
|
- i. If bounty is applicable, release bounty to the researcher as defined in secion "Bounty Distribution"
|
||||||
- b. Finalize vulnerability announcement draft and include the following:
|
- b. Finalize vulnerability announcement draft and include the following:
|
||||||
- i. Project name and URL
|
- i. Project name and URL
|
||||||
- ii. Versions known to be affected
|
- ii. Versions known to be affected
|
||||||
|
@ -119,7 +127,17 @@ PGP key fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1
|
||||||
- c. If disputes arise about whether or when to disclose information about a vulnerability, the Response Team will publicly discuss the issue via IRC and attempt to reach consensus
|
- c. If disputes arise about whether or when to disclose information about a vulnerability, the Response Team will publicly discuss the issue via IRC and attempt to reach consensus
|
||||||
- d. If consensus on a timely disclosure is not met (no later than 90 days), the researcher (after 90 days) has every right to expose the vulnerability to the public
|
- d. If consensus on a timely disclosure is not met (no later than 90 days), the researcher (after 90 days) has every right to expose the vulnerability to the public
|
||||||
|
|
||||||
## V. Incident Analysis
|
## V. Bounty Distribution
|
||||||
|
|
||||||
|
- Total availability of XMR bounty can be tracked [here](https://forum.getmonero.org/8/funding-required/87597/monero-bounty-for-hackerone). XMR market values can be found at the various exchanges. See also [Cryptowatch](https://cryptowat.ch/) and [Live Coin Watch](https://www.livecoinwatch.com/).
|
||||||
|
- As reports come in and payouts are made, the total bounty supply shrinks. This gives incentive for bug hunters to report bugs a.s.a.p.
|
||||||
|
- The following percentages apply to available XMR bounty (severity is defined above in section III. 6.):
|
||||||
|
1. 10% reserved for LOW severity bugs
|
||||||
|
2. 30% reserved for MEDIUM severity bugs
|
||||||
|
3. 60% for HIGH severity bugs
|
||||||
|
- Each bug will at most receive 10% of each category. Example: 10% of 60% for a HIGH severity bug.
|
||||||
|
|
||||||
|
## VI. Incident Analysis
|
||||||
|
|
||||||
1. Isolate codebase
|
1. Isolate codebase
|
||||||
- a. Response Team and developers should coordinate to work on the following:
|
- a. Response Team and developers should coordinate to work on the following:
|
||||||
|
@ -135,7 +153,7 @@ PGP key fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1
|
||||||
|
|
||||||
3. Response Team has 45 days following completion of section III to ensure completion of section V
|
3. Response Team has 45 days following completion of section III to ensure completion of section V
|
||||||
|
|
||||||
## VI. Resolutions
|
## VII. Resolutions
|
||||||
|
|
||||||
Any further questions or resolutions regarding the incident(s) between the researcher and response + development team after public disclosure can be addressed via the following:
|
Any further questions or resolutions regarding the incident(s) between the researcher and response + development team after public disclosure can be addressed via the following:
|
||||||
|
|
||||||
|
@ -153,7 +171,7 @@ Any further questions or resolutions regarding the incident(s) between the resea
|
||||||
- [Reddit /r/Kovri](https://reddit.com/r/Kovri/)
|
- [Reddit /r/Kovri](https://reddit.com/r/Kovri/)
|
||||||
- Email
|
- Email
|
||||||
|
|
||||||
## VII. Continuous Improvement
|
## VIII. Continuous Improvement
|
||||||
|
|
||||||
1. Response Team and developers should hold annual meetings to review the previous year's incidents
|
1. Response Team and developers should hold annual meetings to review the previous year's incidents
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue