mirror of
https://github.com/monero-project/meta.git
synced 2024-12-22 19:49:23 +00:00
commit
bf88b47a7b
1 changed files with 22 additions and 4 deletions
|
@ -9,6 +9,12 @@
|
|||
|
||||
2. As a pro-privacy project we have volunteers running copies of the websites on hidden services on Tor and I2P, as well as on multiple public domains. **The live sites are NOT in the scope of this process; only the code is!**
|
||||
|
||||
3. While **Kovri** is in a pre-Alpha release state, HackerOne should not be used for disclosure. All **Kovri** issues should be directed to [GitHub](https://github.com/monero-project/kovri)
|
||||
|
||||
4. Bounty will be released for all projects in Monero XMR only. For more information on how to use Monero, visit the [Monero website](https://getmonero.org)
|
||||
|
||||
5. Bounty will not be available for **Kovri** until **Kovri Beta** is released
|
||||
|
||||
## I. Points of Contact for Security Issues
|
||||
|
||||
### Monero (CLI/GUI/Website)
|
||||
|
@ -54,7 +60,7 @@ PGP key fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1
|
|||
3. In no more than 3 working days, Response Team should gratefully respond to researcher using only encrypted, secure channels
|
||||
|
||||
4. Response Manager makes inquiries to satisfy any needed information to confirm if submission is indeed a vulnerability
|
||||
- a. If submission proves to be vulnerable, proceed to next step
|
||||
- a. If submission proves to be vulnerable with PoC code / exploit, proceed to next step
|
||||
- b. If not vulnerable:
|
||||
- i. Response Manager responds with reasons why submission is not a vulnerability
|
||||
- ii. Response Manager moves discussion to a new or existing ticket on GitHub if necessary
|
||||
|
@ -65,6 +71,7 @@ PGP key fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1
|
|||
- a. HIGH: impacts network as a whole, has potential to break entire monero/kovri network, results in the loss of monero, or is on a scale of great catastrophe
|
||||
- b. MEDIUM: impacts individual nodes, routers, wallets, or must be carefully exploited
|
||||
- c. LOW: is not easily exploitable
|
||||
- d. If there are any disputes regarding bug severity, the Monero Response team will ultimately define bug severity
|
||||
|
||||
7. Respond according to the severity of the vulnerability:
|
||||
- a. HIGH severities must be notified on website and reddit /r/Monero (/r/Kovri for kovri) within 3 working days of classification
|
||||
|
@ -95,6 +102,7 @@ PGP key fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1
|
|||
|
||||
2. If the Incident Response process in section III is successfully completed:
|
||||
- a. Response Manager contacts researcher and asks if researcher wishes for credit
|
||||
- i. If bounty is applicable, release bounty to the researcher as defined in secion "Bounty Distribution"
|
||||
- b. Finalize vulnerability announcement draft and include the following:
|
||||
- i. Project name and URL
|
||||
- ii. Versions known to be affected
|
||||
|
@ -119,7 +127,17 @@ PGP key fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1
|
|||
- c. If disputes arise about whether or when to disclose information about a vulnerability, the Response Team will publicly discuss the issue via IRC and attempt to reach consensus
|
||||
- d. If consensus on a timely disclosure is not met (no later than 90 days), the researcher (after 90 days) has every right to expose the vulnerability to the public
|
||||
|
||||
## V. Incident Analysis
|
||||
## V. Bounty Distribution
|
||||
|
||||
- Total availability of XMR bounty can be tracked [here](https://forum.getmonero.org/8/funding-required/87597/monero-bounty-for-hackerone). XMR market values can be found at the various exchanges. See also [Cryptowatch](https://cryptowat.ch/) and [Live Coin Watch](https://www.livecoinwatch.com/).
|
||||
- As reports come in and payouts are made, the total bounty supply shrinks. This gives incentive for bug hunters to report bugs a.s.a.p.
|
||||
- The following percentages apply to available XMR bounty (severity is defined above in section III. 6.):
|
||||
1. 10% reserved for LOW severity bugs
|
||||
2. 30% reserved for MEDIUM severity bugs
|
||||
3. 60% for HIGH severity bugs
|
||||
- Each bug will at most receive 10% of each category. Example: 10% of 60% for a HIGH severity bug.
|
||||
|
||||
## VI. Incident Analysis
|
||||
|
||||
1. Isolate codebase
|
||||
- a. Response Team and developers should coordinate to work on the following:
|
||||
|
@ -135,7 +153,7 @@ PGP key fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1
|
|||
|
||||
3. Response Team has 45 days following completion of section III to ensure completion of section V
|
||||
|
||||
## VI. Resolutions
|
||||
## VII. Resolutions
|
||||
|
||||
Any further questions or resolutions regarding the incident(s) between the researcher and response + development team after public disclosure can be addressed via the following:
|
||||
|
||||
|
@ -153,7 +171,7 @@ Any further questions or resolutions regarding the incident(s) between the resea
|
|||
- [Reddit /r/Kovri](https://reddit.com/r/Kovri/)
|
||||
- Email
|
||||
|
||||
## VII. Continuous Improvement
|
||||
## VIII. Continuous Improvement
|
||||
|
||||
1. Response Team and developers should hold annual meetings to review the previous year's incidents
|
||||
|
||||
|
|
Loading…
Reference in a new issue