VRP: specify type of DoS in relation to reward

As we agreed to (the VRP team).
2024-11-16 15:58:14 +00:00 · 2019-03-09 00:29:00 +00:00 · 2019-03-09 00:29:00 +00:00 · de46de83ee
commit de46de83ee
parent bcea379ffa
1 changed files with 7 additions and 5 deletions
--- a/VULNERABILITY_RESPONSE_PROCESS.md
+++ b/VULNERABILITY_RESPONSE_PROCESS.md
@ -83,11 +83,13 @@ PGP fingerprint = 1218 6272 CD48 E253 9E2D  D29B 66A7 6ECF 9144 09F1

 5. If over email, Response Manager opens a HackerOne issue for new submission

-6. Establish severity of vulnerability:
-    - a. HIGH: impacts network as a whole, has potential to break entire monero/kovri network, results in the loss of monero, or is on a scale of great catastrophe
-    - b. MEDIUM: impacts individual nodes, routers, wallets, or must be carefully exploited
-    - c. LOW: is not easily exploitable or is low impact
-    - d. If there are any disputes regarding bug severity, the Monero Response team will ultimately define bug severity
+6. Define severity:
+    - a. Establish severity of vulnerability:
+        - i. HIGH: impacts network as a whole, has potential to break entire monero/kovri network, results in the loss of monero, or is on a scale of great catastrophe
+        - ii. MEDIUM: impacts individual nodes, routers, wallets, or must be carefully exploited
+        - iii. LOW: is not easily exploitable or is low impact
+    - b. If there are any disputes regarding bug severity, the Monero Response team will ultimately define bug severity
+    - c. Since a systematic DoS hunt has not been completed on any code, DoS's which do not crash a node remotely will receive a lower bounty reward

 7. Respond according to the severity of the vulnerability:
    - a. HIGH severities must be notified on website and reddit /r/Monero (/r/Kovri for kovri) within 3 working days of classification