mirror of
https://github.com/monero-project/meta.git
synced 2024-12-22 11:39:22 +00:00
commit
fa3e1d94d1
1 changed files with 14 additions and 33 deletions
|
@ -1,6 +1,6 @@
|
||||||
# The Monero Project Vulnerability Response Process
|
# The Monero Project Vulnerability Response Process
|
||||||
|
|
||||||
## Preamble (Monero/Kovri)
|
## Preamble
|
||||||
|
|
||||||
1. This Vulnerability Response Process and subsequent bounty reward apply to the following:
|
1. This Vulnerability Response Process and subsequent bounty reward apply to the following:
|
||||||
- Code implementation as seen in the Monero Project GitHub repositories
|
- Code implementation as seen in the Monero Project GitHub repositories
|
||||||
|
@ -8,9 +8,9 @@
|
||||||
- Written research from the Monero Research Lab which dictates said code implementation
|
- Written research from the Monero Research Lab which dictates said code implementation
|
||||||
|
|
||||||
2. Researchers/Hackers: while you research/hack, we ask that you please refrain from committing the following:
|
2. Researchers/Hackers: while you research/hack, we ask that you please refrain from committing the following:
|
||||||
- Denial of Service / Active exploiting against the Monero/Kovri networks
|
- Denial of Service / Active exploiting against the Monero networks
|
||||||
- Social Engineering of Monero/Kovri Project staff or contractors
|
- Social Engineering of Monero Project staff or contractors
|
||||||
- Any physical or electronic attempts against Monero/Kovri community property and/or data centers
|
- Any physical or electronic attempts against Monero community property and/or data centers
|
||||||
|
|
||||||
3. As a pro-privacy project we have volunteers running copies of the websites on hidden services on Tor and I2P, as well as on multiple public domains. **The live sites are NOT in the scope of this process; only the code is!**
|
3. As a pro-privacy project we have volunteers running copies of the websites on hidden services on Tor and I2P, as well as on multiple public domains. **The live sites are NOT in the scope of this process; only the code is!**
|
||||||
|
|
||||||
|
@ -20,50 +20,35 @@
|
||||||
- do not abide by the VRP for responsible disclosure
|
- do not abide by the VRP for responsible disclosure
|
||||||
- do not allow the completion of VRP points I through IV
|
- do not allow the completion of VRP points I through IV
|
||||||
|
|
||||||
## Preamble (Monero)
|
6. Attacks which require more than 50% of the network hash rate (or equivalent luck for enough blocks to execute) are out of policy scope
|
||||||
|
|
||||||
1. Attacks which require more than 50% of the network hash rate to execute are out of policy scope
|
|
||||||
|
|
||||||
## Preamble (Kovri)
|
|
||||||
|
|
||||||
1. While Kovri is in a pre-Beta release state, do not use HackerOne for disclosure. All Kovri issues MUST be directed to either [GitHub](https://github.com/monero-project/kovri) or Email
|
|
||||||
2. Bounty will not be available for Kovri until **Kovri Beta** is released
|
|
||||||
|
|
||||||
## I. Points of contact for security issues
|
## I. Points of contact for security issues
|
||||||
|
|
||||||
### Monero (CLI/GUI/website)
|
**Please, CC all points of contact if you decide to use email instead of HackerOne**
|
||||||
|
|
||||||
```
|
```
|
||||||
|
anonimal [at] getmonero.org
|
||||||
|
PGP fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1
|
||||||
|
|
||||||
ric [at] getmonero.org
|
ric [at] getmonero.org
|
||||||
PGP fingerprint = BDA6 BD70 42B7 21C4 67A9 759D 7455 C5E3 C0CD CEB9
|
PGP fingerprint = BDA6 BD70 42B7 21C4 67A9 759D 7455 C5E3 C0CD CEB9
|
||||||
|
|
||||||
luigi1111 [at] getmonero.org
|
luigi1111 [at] getmonero.org
|
||||||
PGP fingerprint = 8777 AB8F 778E E894 87A2 F8E7 F4AC A018 3641 E010
|
PGP fingerprint = 8777 AB8F 778E E894 87A2 F8E7 F4AC A018 3641 E010
|
||||||
```
|
|
||||||
|
|
||||||
### Monero (CLI/GUI)
|
|
||||||
|
|
||||||
```
|
|
||||||
moneromooo on Freenode
|
moneromooo on Freenode
|
||||||
PGP fingerprint = 48B0 8161 FBDA DFE3 93AD FC3E 686F 0745 4D6C EFC3
|
PGP fingerprint = 48B0 8161 FBDA DFE3 93AD FC3E 686F 0745 4D6C EFC3
|
||||||
If pasting GPG encrypted data, use fpaste.org or pastebin.mozilla.org
|
If pasting GPG encrypted data, use paste.centos.org or paste.debian.net
|
||||||
or paste.debian.net as these don't blackball Tor via Cloudflare.
|
as these don't blackball Tor via Cloudflare.
|
||||||
OTR: 6C7966BB 72E42F33 E1A3F137 2133AC39 D343514A
|
OTR: 6C7966BB 72E42F33 E1A3F137 2133AC39 D343514A
|
||||||
```
|
```
|
||||||
|
|
||||||
### Kovri (CLI/Website)
|
|
||||||
|
|
||||||
```
|
|
||||||
anonimal [at] getmonero.org
|
|
||||||
PGP fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1
|
|
||||||
```
|
|
||||||
|
|
||||||
## II. Security response team
|
## II. Security response team
|
||||||
|
|
||||||
|
- anonimal
|
||||||
- fluffypony
|
- fluffypony
|
||||||
- luigi1111
|
- luigi1111
|
||||||
- moneromooo
|
- moneromooo
|
||||||
- anonimal
|
|
||||||
|
|
||||||
## III. Incident response
|
## III. Incident response
|
||||||
|
|
||||||
|
@ -85,7 +70,7 @@ PGP fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1
|
||||||
|
|
||||||
6. Define severity:
|
6. Define severity:
|
||||||
- a. Establish severity of vulnerability:
|
- a. Establish severity of vulnerability:
|
||||||
- i. HIGH: impacts network as a whole, has potential to break entire monero/kovri network, results in the loss of monero, or is on a scale of great catastrophe
|
- i. HIGH: impacts network as a whole, has potential to break entire monero network, results in the loss of monero, or is on a scale of great catastrophe
|
||||||
- ii. MEDIUM: impacts individual nodes, routers, wallets, or must be carefully exploited
|
- ii. MEDIUM: impacts individual nodes, routers, wallets, or must be carefully exploited
|
||||||
- iii. LOW: is not easily exploitable or is low impact
|
- iii. LOW: is not easily exploitable or is low impact
|
||||||
- b. If there are any disputes regarding bug severity, the Monero Response team will ultimately define bug severity
|
- b. If there are any disputes regarding bug severity, the Monero Response team will ultimately define bug severity
|
||||||
|
@ -177,16 +162,12 @@ Any further questions or resolutions regarding the incident(s) between the resea
|
||||||
|
|
||||||
- IRC on Freenode
|
- IRC on Freenode
|
||||||
- `#monero-dev`
|
- `#monero-dev`
|
||||||
- `#kovri-dev`
|
|
||||||
- [GitHub](https://github.com/monero-project/monero/issues/)
|
- [GitHub](https://github.com/monero-project/monero/issues/)
|
||||||
- [Monero (CLI)](https://github.com/monero-project/monero/issues/)
|
- [Monero (CLI)](https://github.com/monero-project/monero/issues/)
|
||||||
- [Monero (GUI)](https://github.com/monero-project/monero-core/issues/)
|
- [Monero (GUI)](https://github.com/monero-project/monero-core/issues/)
|
||||||
- [Monero (Website)](https://github.com/monero-project/monero-site/issues/)
|
- [Monero (Website)](https://github.com/monero-project/monero-site/issues/)
|
||||||
- [Kovri](https://github.com/monero-project/kovri/issues/)
|
|
||||||
- [Kovri (Website)](https://github.com/monero-project/kovri-site/issues/)
|
|
||||||
- [HackerOne](https://hackerone.com/monero)
|
- [HackerOne](https://hackerone.com/monero)
|
||||||
- [Reddit /r/Monero](https://reddit.com/r/Monero/)
|
- [Reddit /r/Monero](https://reddit.com/r/Monero/)
|
||||||
- [Reddit /r/Kovri](https://reddit.com/r/Kovri/)
|
|
||||||
- Email
|
- Email
|
||||||
|
|
||||||
## VIII. Continuous improvement
|
## VIII. Continuous improvement
|
||||||
|
@ -194,7 +175,7 @@ Any further questions or resolutions regarding the incident(s) between the resea
|
||||||
1. Response Team and developers should hold annual meetings to review the previous year's incidents
|
1. Response Team and developers should hold annual meetings to review the previous year's incidents
|
||||||
|
|
||||||
2. Response Team or designated person(s) should give a brief presentation, including:
|
2. Response Team or designated person(s) should give a brief presentation, including:
|
||||||
- a. Areas of Monero/Kovri affected by the incidents
|
- a. Areas of Monero affected by the incidents
|
||||||
- b. Any network downtime or monetary cost (if any) of the incidents
|
- b. Any network downtime or monetary cost (if any) of the incidents
|
||||||
- c. Ways in which the incidents could have been avoided (if any)
|
- c. Ways in which the incidents could have been avoided (if any)
|
||||||
- d. How effective this process was in dealing with the incidents
|
- d. How effective this process was in dealing with the incidents
|
||||||
|
|
Loading…
Reference in a new issue