From fe807205be1dadf8bc5d3b3f36cd30dc9dc8720f Mon Sep 17 00:00:00 2001 From: Simon Warta Date: Wed, 21 Aug 2024 19:57:10 +0200 Subject: [PATCH] Add all 3 reporting options --- SECURITY.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 91e2617..2c01c0b 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -17,9 +17,17 @@ This is a shared security policy for the CosmWasm stack, including the following ## Reporting a Vulnerability -Please report any security issues via email to security@confio.gmbh. +There are three ways to report a security issue -You will receive a response from us within 4 working days confirming that a human read your email. If you do not hear back within 1 week, feel free to send a reminder or try to notify core team members via different channels. +| | Cosmos HackerOne Bug Bounty program | security@interchain.io | security@confio.gmbh | +| ------------------- | ----------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Maintained by | Amulet | Amulet | Confio | +| Eligable for bounty | yes | no | no | +| Reporting link | | [security@interchain.io](mailto:security@interchain.io) | [security@confio.gmbh](mailto:security@confio.gmbh) | +| Reporter management | professional communation | professional communation | best effort | +| Details | See program details at | If you prefer to report an issue via email, you may send a bug report to security@interchain.io with the issue details, reproduction, impact, and other information. Please submit only one unique email thread per vulnerability. Any issues reported via email are ineligible for bounty rewards. | You will receive a response from us within 4 working days confirming that a human read your email. If you do not hear back within 1 week, feel free to send a reminder or try to notify core team members via different channels. | + +Please only choose one. In all cases the analysis and fixing of the issue will be performed by Confio. Within a few days we try to reproduce the issue and confirm it. After that we work on a patch and a release strategy. Experience shows the later part is harder than the actual patch as we need to evaluate which versions are affected, for which versions a patch is provided, if that patch is consensus or state breaking and how users can apply the patch. This part can take a few days up to multiple weeks.