Merge pull request #431 from anonimal/VRP-updates

VRP updates
This commit is contained in:
luigi1111 2020-02-13 12:45:07 -05:00 committed by GitHub
commit fa3e1d94d1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -1,6 +1,6 @@
# The Monero Project Vulnerability Response Process
## Preamble (Monero/Kovri)
## Preamble
1. This Vulnerability Response Process and subsequent bounty reward apply to the following:
- Code implementation as seen in the Monero Project GitHub repositories
@ -8,9 +8,9 @@
- Written research from the Monero Research Lab which dictates said code implementation
2. Researchers/Hackers: while you research/hack, we ask that you please refrain from committing the following:
- Denial of Service / Active exploiting against the Monero/Kovri networks
- Social Engineering of Monero/Kovri Project staff or contractors
- Any physical or electronic attempts against Monero/Kovri community property and/or data centers
- Denial of Service / Active exploiting against the Monero networks
- Social Engineering of Monero Project staff or contractors
- Any physical or electronic attempts against Monero community property and/or data centers
3. As a pro-privacy project we have volunteers running copies of the websites on hidden services on Tor and I2P, as well as on multiple public domains. **The live sites are NOT in the scope of this process; only the code is!**
@ -20,50 +20,35 @@
- do not abide by the VRP for responsible disclosure
- do not allow the completion of VRP points I through IV
## Preamble (Monero)
1. Attacks which require more than 50% of the network hash rate to execute are out of policy scope
## Preamble (Kovri)
1. While Kovri is in a pre-Beta release state, do not use HackerOne for disclosure. All Kovri issues MUST be directed to either [GitHub](https://github.com/monero-project/kovri) or Email
2. Bounty will not be available for Kovri until **Kovri Beta** is released
6. Attacks which require more than 50% of the network hash rate (or equivalent luck for enough blocks to execute) are out of policy scope
## I. Points of contact for security issues
### Monero (CLI/GUI/website)
**Please, CC all points of contact if you decide to use email instead of HackerOne**
```
anonimal [at] getmonero.org
PGP fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1
ric [at] getmonero.org
PGP fingerprint = BDA6 BD70 42B7 21C4 67A9 759D 7455 C5E3 C0CD CEB9
luigi1111 [at] getmonero.org
PGP fingerprint = 8777 AB8F 778E E894 87A2 F8E7 F4AC A018 3641 E010
```
### Monero (CLI/GUI)
```
moneromooo on Freenode
PGP fingerprint = 48B0 8161 FBDA DFE3 93AD FC3E 686F 0745 4D6C EFC3
If pasting GPG encrypted data, use fpaste.org or pastebin.mozilla.org
or paste.debian.net as these don't blackball Tor via Cloudflare.
If pasting GPG encrypted data, use paste.centos.org or paste.debian.net
as these don't blackball Tor via Cloudflare.
OTR: 6C7966BB 72E42F33 E1A3F137 2133AC39 D343514A
```
### Kovri (CLI/Website)
```
anonimal [at] getmonero.org
PGP fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1
```
## II. Security response team
- anonimal
- fluffypony
- luigi1111
- moneromooo
- anonimal
## III. Incident response
@ -85,7 +70,7 @@ PGP fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1
6. Define severity:
- a. Establish severity of vulnerability:
- i. HIGH: impacts network as a whole, has potential to break entire monero/kovri network, results in the loss of monero, or is on a scale of great catastrophe
- i. HIGH: impacts network as a whole, has potential to break entire monero network, results in the loss of monero, or is on a scale of great catastrophe
- ii. MEDIUM: impacts individual nodes, routers, wallets, or must be carefully exploited
- iii. LOW: is not easily exploitable or is low impact
- b. If there are any disputes regarding bug severity, the Monero Response team will ultimately define bug severity
@ -177,16 +162,12 @@ Any further questions or resolutions regarding the incident(s) between the resea
- IRC on Freenode
- `#monero-dev`
- `#kovri-dev`
- [GitHub](https://github.com/monero-project/monero/issues/)
- [Monero (CLI)](https://github.com/monero-project/monero/issues/)
- [Monero (GUI)](https://github.com/monero-project/monero-core/issues/)
- [Monero (Website)](https://github.com/monero-project/monero-site/issues/)
- [Kovri](https://github.com/monero-project/kovri/issues/)
- [Kovri (Website)](https://github.com/monero-project/kovri-site/issues/)
- [HackerOne](https://hackerone.com/monero)
- [Reddit /r/Monero](https://reddit.com/r/Monero/)
- [Reddit /r/Kovri](https://reddit.com/r/Kovri/)
- Email
## VIII. Continuous improvement
@ -194,7 +175,7 @@ Any further questions or resolutions regarding the incident(s) between the resea
1. Response Team and developers should hold annual meetings to review the previous year's incidents
2. Response Team or designated person(s) should give a brief presentation, including:
- a. Areas of Monero/Kovri affected by the incidents
- a. Areas of Monero affected by the incidents
- b. Any network downtime or monetary cost (if any) of the incidents
- c. Ways in which the incidents could have been avoided (if any)
- d. How effective this process was in dealing with the incidents