VRP: specify type of DoS in relation to reward

As we agreed to (the VRP team).
This commit is contained in:
anonimal 2019-03-09 00:29:00 +00:00
parent bcea379ffa
commit de46de83ee
No known key found for this signature in database
GPG key ID: 66A76ECF914409F1

View file

@ -83,11 +83,13 @@ PGP fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1
5. If over email, Response Manager opens a HackerOne issue for new submission 5. If over email, Response Manager opens a HackerOne issue for new submission
6. Establish severity of vulnerability: 6. Define severity:
- a. HIGH: impacts network as a whole, has potential to break entire monero/kovri network, results in the loss of monero, or is on a scale of great catastrophe - a. Establish severity of vulnerability:
- b. MEDIUM: impacts individual nodes, routers, wallets, or must be carefully exploited - i. HIGH: impacts network as a whole, has potential to break entire monero/kovri network, results in the loss of monero, or is on a scale of great catastrophe
- c. LOW: is not easily exploitable or is low impact - ii. MEDIUM: impacts individual nodes, routers, wallets, or must be carefully exploited
- d. If there are any disputes regarding bug severity, the Monero Response team will ultimately define bug severity - iii. LOW: is not easily exploitable or is low impact
- b. If there are any disputes regarding bug severity, the Monero Response team will ultimately define bug severity
- c. Since a systematic DoS hunt has not been completed on any code, DoS's which do not crash a node remotely will receive a lower bounty reward
7. Respond according to the severity of the vulnerability: 7. Respond according to the severity of the vulnerability:
- a. HIGH severities must be notified on website and reddit /r/Monero (/r/Kovri for kovri) within 3 working days of classification - a. HIGH severities must be notified on website and reddit /r/Monero (/r/Kovri for kovri) within 3 working days of classification