Update SECURITY.md #959
Update SECURITY.md #959
Conversation
The Security Council has approved a new SECURITY.md aligned with the bug-bounty process. Please update your project’s SECURITY.md with the correct links for your project and confirm that private vulnerability reporting is enabled for your repository. All bug bounty details found here: https://opensourcecommittee.docs.intersectmbo.org/about/paid-open-source-model-posm/bug-bounty-program'
There was a problem hiding this comment.
This looks like a template with some things left for us to fill in.
I wonder if it even makes sense to have this template for this repository. We're not producing code that is used in production, our code only runs for testing purposes. What do other repositories that provide testing infrastructure do here?
| Please report (suspected) security vulnerabilities to [email protected]. You will receive a | ||
| response from us within 48 hours. If the issue is confirmed, we will release a patch as soon | ||
| as possible. | ||
| The Cardano open source project (xxx) is committed to ensuring the security of |
| If you discover a security vulnerability in xxxx, we encourage you to | ||
| responsibly disclose it to us. To report a vulnerability, please use | ||
| the [private reporting form on | ||
| GitHub](https://github.com/input-output-hk/mithril/security/advisories/new) |
There was a problem hiding this comment.
I don't think linking to the mithril repo is correct here?
There was a problem hiding this comment.
yes, needs to reflect equivalent for yall
|
|
||
| - A description of the vulnerability and its potential impact. | ||
| - Steps to reproduce the vulnerability. | ||
| - The version of `xxxx` package where the vulnerability exists. |
| ## Contact Information | ||
|
|
||
| To report a security vulnerability, please use [GitHub | ||
| form]((add project github form for your project)). Should you experience any issues reporting via GitHub or have other questions, Please contact [Security]([email protected]). |
There was a problem hiding this comment.
We don't have one, and I'm not sure we should make one. Maybe reuse the Ledger one (assuming they have it)?
|
|
||
| This Security Vulnerability Disclosure Policy may be updated or | ||
| revised as necessary. Please check the latest version of this policy | ||
| on the [xxxx repository]((add link for your project)). |
There was a problem hiding this comment.
Missing info here as well.
|
feel free to utilize it as you wish, it just serves that if something was found in the code that could effect running in another project this is a way to report it and a bounty is possible |
The Security Council has approved a new SECURITY.md aligned with the bug-bounty process. Please update your project’s SECURITY.md with the correct links for your project and confirm that private vulnerability reporting is enabled for your repository. All bug bounty details found here:
https://opensourcecommittee.docs.intersectmbo.org/about/paid-open-source-model-posm/bug-bounty-program'
Description
Checklist
CHANGELOG.md