LaconicNetwork/cosmos-sdk
10
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

docs: align SECURITY.md for refresh (#17526)

Browse Source
This commit is contained in:
Mo Miz 2023-08-24 16:16:35 -07:00 committed by GitHub
parent bb106cb50d
commit 9de71d7bee
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 9 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
SECURITY.md
View File

@ -21,26 +21,17 @@ the vulnerability can be reproduced on either one of those.
## Reporting a Vulnerability
| Reporting methods |
|---------------------------------------------------------------|
| [GitHub Private Vulnerability Reporting][gh-private-advisory] |
| [HackerOne bug bounty program][h1] |
| Reporting methods | Bounty eligible |
|---------------------------------------------------------------|-----------------|
| [HackerOne program][h1] | yes |
| [security@interchain.io](mailto:security@interchain.io) | no |
All security vulnerabilities can be reported under GitHub's [Private
vulnerability reporting][gh-private-advisory] system. This will open a private
issue for the developers. Try to fill in as much of the questions as possible.
If you are not familiar with the CVSS system for assessing vulnerabilities, just
use the Low/High/Critical severity ratings. A partially filled in report for a
critical vulnerability is still better than no report at all.
Issues identified in this repository may be eligible for a [bug bounty][h1]. For your report to be bounty
eligible it must be reported exclusively through the [HackerOne Bug Bounty][h1].
Vulnerabilities associated with the **Go, Rust or Protobuf code** of the
repository may be eligible for a [bug bounty][h1]. Please see the bug bounty
page for more details on submissions and rewards. If you think the vulnerability
is eligible for a payout, **report on HackerOne first**.
Vulnerabilities in services and their source codes (JavaScript, web page, Google
Workspace) are not in scope for the bug bounty program, but they are welcome to
be reported in GitHub.
If you do not wish to be eligible for a bounty or do not want to use the HackerOne platform to report an
issue, please send your report via email to [security@interchain.io](mailto:security@interchain.io) with
reproduction steps and details of the issue.
### Guidelines
@ -72,7 +63,6 @@ If you follow these guidelines when reporting an issue to us, we commit to:
* See [EXAMPLES.md] for some of the examples that we are interested in for the
bug bounty program.
[gh-private-advisory]: /../../security/advisories/new
[h1]: https://hackerone.com/cosmos
[TIMELINE.md]: https://github.com/cosmos/security/blob/main/TIMELINE.md
[DISCLOSURE.md]: https://github.com/cosmos/security/blob/main/DISCLOSURE.md