monero-project/meta
monero-project/meta
1
0
Fork 0
mirror of https://github.com/monero-project/meta.git synced 2024-09-29 03:51:08 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #431 from anonimal/VRP-updates

Browse source 
VRP updates
This commit is contained in:
luigi1111 2020-02-13 12:45:07 -05:00 committed by GitHub
commit fa3e1d94d1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 14 additions and 33 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

47
VULNERABILITY_RESPONSE_PROCESS.md
View file

@ -1,6 +1,6 @@
# The Monero Project Vulnerability Response Process # The Monero Project Vulnerability Response Process
## Preamble (Monero/Kovri) ## Preamble
1. This Vulnerability Response Process and subsequent bounty reward apply to the following: 1. This Vulnerability Response Process and subsequent bounty reward apply to the following:
- Code implementation as seen in the Monero Project GitHub repositories - Code implementation as seen in the Monero Project GitHub repositories
@ -8,9 +8,9 @@
- Written research from the Monero Research Lab which dictates said code implementation - Written research from the Monero Research Lab which dictates said code implementation
2. Researchers/Hackers: while you research/hack, we ask that you please refrain from committing the following: 2. Researchers/Hackers: while you research/hack, we ask that you please refrain from committing the following:
- Denial of Service / Active exploiting against the Monero/Kovri networks - Denial of Service / Active exploiting against the Monero networks
- Social Engineering of Monero/Kovri Project staff or contractors - Social Engineering of Monero Project staff or contractors
- Any physical or electronic attempts against Monero/Kovri community property and/or data centers - Any physical or electronic attempts against Monero community property and/or data centers
3. As a pro-privacy project we have volunteers running copies of the websites on hidden services on Tor and I2P, as well as on multiple public domains. **The live sites are NOT in the scope of this process; only the code is!** 3. As a pro-privacy project we have volunteers running copies of the websites on hidden services on Tor and I2P, as well as on multiple public domains. **The live sites are NOT in the scope of this process; only the code is!**
@ -20,50 +20,35 @@
- do not abide by the VRP for responsible disclosure - do not abide by the VRP for responsible disclosure
- do not allow the completion of VRP points I through IV - do not allow the completion of VRP points I through IV
## Preamble (Monero) 6. Attacks which require more than 50% of the network hash rate (or equivalent luck for enough blocks to execute) are out of policy scope
1. Attacks which require more than 50% of the network hash rate to execute are out of policy scope
## Preamble (Kovri)
1. While Kovri is in a pre-Beta release state, do not use HackerOne for disclosure. All Kovri issues MUST be directed to either [GitHub](https://github.com/monero-project/kovri) or Email
2. Bounty will not be available for Kovri until **Kovri Beta** is released
## I. Points of contact for security issues ## I. Points of contact for security issues
### Monero (CLI/GUI/website) **Please, CC all points of contact if you decide to use email instead of HackerOne**
``` ```
anonimal [at] getmonero.org
PGP fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1
ric [at] getmonero.org ric [at] getmonero.org
PGP fingerprint = BDA6 BD70 42B7 21C4 67A9 759D 7455 C5E3 C0CD CEB9 PGP fingerprint = BDA6 BD70 42B7 21C4 67A9 759D 7455 C5E3 C0CD CEB9
luigi1111 [at] getmonero.org luigi1111 [at] getmonero.org
PGP fingerprint = 8777 AB8F 778E E894 87A2 F8E7 F4AC A018 3641 E010 PGP fingerprint = 8777 AB8F 778E E894 87A2 F8E7 F4AC A018 3641 E010
```
### Monero (CLI/GUI)
```
moneromooo on Freenode moneromooo on Freenode
PGP fingerprint = 48B0 8161 FBDA DFE3 93AD FC3E 686F 0745 4D6C EFC3 PGP fingerprint = 48B0 8161 FBDA DFE3 93AD FC3E 686F 0745 4D6C EFC3
If pasting GPG encrypted data, use fpaste.org or pastebin.mozilla.org If pasting GPG encrypted data, use paste.centos.org or paste.debian.net
or paste.debian.net as these don't blackball Tor via Cloudflare. as these don't blackball Tor via Cloudflare.
OTR: 6C7966BB 72E42F33 E1A3F137 2133AC39 D343514A OTR: 6C7966BB 72E42F33 E1A3F137 2133AC39 D343514A
``` ```
### Kovri (CLI/Website)
```
anonimal [at] getmonero.org
PGP fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1
```
## II. Security response team ## II. Security response team
- anonimal
- fluffypony - fluffypony
- luigi1111 - luigi1111
- moneromooo - moneromooo
- anonimal
## III. Incident response ## III. Incident response
@ -85,7 +70,7 @@ PGP fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1
6. Define severity: 6. Define severity:
- a. Establish severity of vulnerability: - a. Establish severity of vulnerability:
- i. HIGH: impacts network as a whole, has potential to break entire monero/kovri network, results in the loss of monero, or is on a scale of great catastrophe - i. HIGH: impacts network as a whole, has potential to break entire monero network, results in the loss of monero, or is on a scale of great catastrophe
- ii. MEDIUM: impacts individual nodes, routers, wallets, or must be carefully exploited - ii. MEDIUM: impacts individual nodes, routers, wallets, or must be carefully exploited
- iii. LOW: is not easily exploitable or is low impact - iii. LOW: is not easily exploitable or is low impact
- b. If there are any disputes regarding bug severity, the Monero Response team will ultimately define bug severity - b. If there are any disputes regarding bug severity, the Monero Response team will ultimately define bug severity
@ -177,16 +162,12 @@ Any further questions or resolutions regarding the incident(s) between the resea
- IRC on Freenode - IRC on Freenode
- `#monero-dev` - `#monero-dev`
- `#kovri-dev`
- [GitHub](https://github.com/monero-project/monero/issues/) - [GitHub](https://github.com/monero-project/monero/issues/)
- [Monero (CLI)](https://github.com/monero-project/monero/issues/) - [Monero (CLI)](https://github.com/monero-project/monero/issues/)
- [Monero (GUI)](https://github.com/monero-project/monero-core/issues/) - [Monero (GUI)](https://github.com/monero-project/monero-core/issues/)
- [Monero (Website)](https://github.com/monero-project/monero-site/issues/) - [Monero (Website)](https://github.com/monero-project/monero-site/issues/)
- [Kovri](https://github.com/monero-project/kovri/issues/)
- [Kovri (Website)](https://github.com/monero-project/kovri-site/issues/)
- [HackerOne](https://hackerone.com/monero) - [HackerOne](https://hackerone.com/monero)
- [Reddit /r/Monero](https://reddit.com/r/Monero/) - [Reddit /r/Monero](https://reddit.com/r/Monero/)
- [Reddit /r/Kovri](https://reddit.com/r/Kovri/)
- Email - Email
## VIII. Continuous improvement ## VIII. Continuous improvement
@ -194,7 +175,7 @@ Any further questions or resolutions regarding the incident(s) between the resea
1. Response Team and developers should hold annual meetings to review the previous year's incidents 1. Response Team and developers should hold annual meetings to review the previous year's incidents
2. Response Team or designated person(s) should give a brief presentation, including: 2. Response Team or designated person(s) should give a brief presentation, including:
- a. Areas of Monero/Kovri affected by the incidents - a. Areas of Monero affected by the incidents
- b. Any network downtime or monetary cost (if any) of the incidents - b. Any network downtime or monetary cost (if any) of the incidents
- c. Ways in which the incidents could have been avoided (if any) - c. Ways in which the incidents could have been avoided (if any)
- d. How effective this process was in dealing with the incidents - d. How effective this process was in dealing with the incidents