You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: SECURITY.md
+36-36
Original file line number
Diff line number
Diff line change
@@ -7,55 +7,55 @@ Policy](https://tendermint.com/security), we operate a [bug
7
7
bounty](https://hackerone.com/tendermint).
8
8
See the policy for more details on submissions and rewards, and see "Example Vulnerabilities" (below) for examples of the kinds of bugs we're most interested in.
9
9
10
-
### Guidelines
10
+
### Guidelines
11
11
12
12
We require that all researchers:
13
13
14
14
* Use the bug bounty to disclose all vulnerabilities, and avoid posting vulnerability information in public places, including Github Issues, Discord channels, and Telegram groups
15
15
* Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems (including but not limited to the Cosmos Hub), and destruction of data
16
-
* Keep any information about vulnerabilities that you’ve discovered confidential between yourself and the Tendermint Core engineering team until the issue has been resolved and disclosed
16
+
* Keep any information about vulnerabilities that you’ve discovered confidential between yourself and the Tendermint Core engineering team until the issue has been resolved and disclosed
17
17
* Avoid posting personally identifiable information, privately or publicly
18
18
19
19
If you follow these guidelines when reporting an issue to us, we commit to:
20
20
21
21
* Not pursue or support any legal action related to your research on this vulnerability
22
-
* Work with you to understand, resolve and ultimately disclose the issue in a timely fashion
22
+
* Work with you to understand, resolve and ultimately disclose the issue in a timely fashion
23
23
24
-
## Disclosure Process
24
+
## Disclosure Process
25
25
26
26
Tendermint Core uses the following disclosure process:
27
27
28
-
1. Once a security report is received, the Tendermint Core team works to verify the issue and confirm its severity level using CVSS.
29
-
2. The Tendermint Core team collaborates with the Gaia team to determine the vulnerability’s potential impact on the Cosmos Hub.
30
-
3. Patches are prepared for eligible releases of Tendermint in private repositories. See “Supported Releases” below for more information on which releases are considered eligible.
31
-
4. If it is determined that a CVE-ID is required, we request a CVE through a CVE Numbering Authority.
28
+
1. Once a security report is received, the Tendermint Core team works to verify the issue and confirm its severity level using CVSS.
29
+
2. The Tendermint Core team collaborates with the Gaia team to determine the vulnerability’s potential impact on the Cosmos Hub.
30
+
3. Patches are prepared for eligible releases of Tendermint in private repositories. See “Supported Releases” below for more information on which releases are considered eligible.
31
+
4. If it is determined that a CVE-ID is required, we request a CVE through a CVE Numbering Authority.
32
32
5. We notify the community that a security release is coming, to give users time to prepare their systems for the update. Notifications can include forum posts, tweets, and emails to partners and validators, including emails sent to the [Tendermint Security Mailing List](https://berlin.us4.list-manage.com/subscribe?u=431b35421ff7edcc77df5df10&id=3fe93307bc).
33
-
6. 24 hours following this notification, the fixes are applied publicly and new releases are issued.
34
-
7. Cosmos SDK and Gaia update their Tendermint Core dependencies to use these releases, and then themselves issue new releases.
35
-
8. Once releases are available for Tendermint Core, Cosmos SDK and Gaia, we notify the community, again, through the same channels as above. We also publish a Security Advisory on Github and publish the CVE, as long as neither the Security Advisory nor the CVE include any information on how to exploit these vulnerabilities beyond what information is already available in the patch itself.
36
-
9. Once the community is notified, we will pay out any relevant bug bounties to submitters.
37
-
10. One week after the releases go out, we will publish a post with further details on the vulnerability as well as our response to it.
33
+
6. 24 hours following this notification, the fixes are applied publicly and new releases are issued.
34
+
7. Cosmos SDK and Gaia update their Tendermint Core dependencies to use these releases, and then themselves issue new releases.
35
+
8. Once releases are available for Tendermint Core, Cosmos SDK and Gaia, we notify the community, again, through the same channels as above. We also publish a Security Advisory on Github and publish the CVE, as long as neither the Security Advisory nor the CVE include any information on how to exploit these vulnerabilities beyond what information is already available in the patch itself.
36
+
9. Once the community is notified, we will pay out any relevant bug bounties to submitters.
37
+
10. One week after the releases go out, we will publish a post with further details on the vulnerability as well as our response to it.
38
38
39
-
This process can take some time. Every effort will be made to handle the bug in as timely a manner as possible, however it's important that we follow the process described above to ensure that disclosures are handled consistently and to keep Tendermint Core and its downstream dependent projects--including but not limited to Gaia and the Cosmos Hub--as secure as possible.
39
+
This process can take some time. Every effort will be made to handle the bug in as timely a manner as possible, however it's important that we follow the process described above to ensure that disclosures are handled consistently and to keep Tendermint Core and its downstream dependent projects--including but not limited to Gaia and the Cosmos Hub--as secure as possible.
40
40
41
-
### Example Timeline
41
+
### Example Timeline
42
42
43
-
The following is an example timeline for the triage and response. The required roles and team members are described in parentheses after each task; however, multiple people can play each role and each person may play multiple roles.
43
+
The following is an example timeline for the triage and response. The required roles and team members are described in parentheses after each task; however, multiple people can play each role and each person may play multiple roles.
44
44
45
-
#### > 24 Hours Before Release Time
45
+
#### 24+ Hours Before Release Time
46
46
47
-
1. Request CVE number (ADMIN)
48
-
2. Gather emails and other contact info for validators (COMMS LEAD)
47
+
1. Request CVE number (ADMIN)
48
+
2. Gather emails and other contact info for validators (COMMS LEAD)
49
49
3. Create patches in a private security repo, and ensure that PRs are open targeting all relevant release branches (TENDERMINT ENG, TENDERMINT LEAD)
50
-
4. Test fixes on a testnet (TENDERMINT ENG, COSMOS ENG)
51
-
5. Write “Security Advisory” for forum (TENDERMINT LEAD)
50
+
4. Test fixes on a testnet (TENDERMINT ENG, COSMOS SDK ENG)
51
+
5. Write “Security Advisory” for forum (TENDERMINT LEAD)
52
52
53
53
#### 24 Hours Before Release Time
54
54
55
-
1. Post “Security Advisory” pre-notification on forum (TENDERMINT LEAD)
56
-
2. Post Tweet linking to forum post (COMMS LEAD)
57
-
3. Announce security advisory/link to post in various other social channels (Telegram, Discord) (COMMS LEAD)
58
-
4. Send emails to validators or other users (PARTNERSHIPS LEAD)
55
+
1. Post “Security Advisory” pre-notification on forum (TENDERMINT LEAD)
56
+
2. Post Tweet linking to forum post (COMMS LEAD)
57
+
3. Announce security advisory/link to post in various other social channels (Telegram, Discord) (COMMS LEAD)
58
+
4. Send emails to validators or other users (PARTNERSHIPS LEAD)
59
59
60
60
#### Release Time
61
61
@@ -65,36 +65,36 @@ The following is an example timeline for the triage and response. The required r
65
65
4. Post “Security releases” on forum (TENDERMINT LEAD)
66
66
5. Post new Tweet linking to forum post (COMMS LEAD)
67
67
6. Remind everyone via social channels (Telegram, Discord) that the release is out (COMMS LEAD)
68
-
7. Send emails to validators or other users (COMMS LEAD)
69
-
8. Publish Security Advisory and CVE, if CVE has no sensitive information (ADMIN)
68
+
7. Send emails to validators or other users (COMMS LEAD)
69
+
8. Publish Security Advisory and CVE, if CVE has no sensitive information (ADMIN)
70
70
71
71
#### After Release Time
72
72
73
73
1. Write forum post with exploit details (TENDERMINT LEAD)
74
-
2. Approve pay-out on HackerOne for submitter (ADMIN)
74
+
2. Approve pay-out on HackerOne for submitter (ADMIN)
75
75
76
76
#### 7 Days After Release Time
77
77
78
-
1. Publish CVE if it has not yet been published (ADMIN)
78
+
1. Publish CVE if it has not yet been published (ADMIN)
79
79
2. Publish forum post with exploit details (TENDERMINT ENG, TENDERMINT LEAD)
80
80
81
81
## Supported Releases
82
82
83
-
The Tendermint Core team commits to releasing security patch releases for both the latest minor release as well for the major/minor release that the Cosmos Hub is running.
83
+
The Tendermint Core team commits to releasing security patch releases for both the latest minor release as well for the major/minor release that the Cosmos Hub is running.
84
84
85
-
If you are running older versions of Tendermint Core, we encourage you to upgrade at your earliest opportunity so that you can receive security patches directly from the Tendermint repo. While you are welcome to backport security patches to older versions for your own use, we will not publish or promote these backports.
85
+
If you are running older versions of Tendermint Core, we encourage you to upgrade at your earliest opportunity so that you can receive security patches directly from the Tendermint repo. While you are welcome to backport security patches to older versions for your own use, we will not publish or promote these backports.
86
86
87
87
## Scope
88
88
89
89
The full scope of our bug bounty program is outlined on our [Hacker One program page](https://hackerone.com/tendermint). Please also note that, in the interest of the safety of our users and staff, a few things are explicitly excluded from scope:
90
90
91
-
* Any third-party services
92
-
* Findings from physical testing, such as office access
91
+
* Any third-party services
92
+
* Findings from physical testing, such as office access
93
93
* Findings derived from social engineering (e.g., phishing)
94
94
95
-
## Example Vulnerabilities
95
+
## Example Vulnerabilities
96
96
97
-
The following is a list of examples of the kinds of vulnerabilities that we’re most interested in. It is not exhaustive: there are other kinds of issues we may also be interested in!
97
+
The following is a list of examples of the kinds of vulnerabilities that we’re most interested in. It is not exhaustive: there are other kinds of issues we may also be interested in!
98
98
99
99
### Specification
100
100
@@ -154,5 +154,5 @@ Attacks may come through the P2P network or the RPC layer:
0 commit comments