Create SECURITY.md
This commit is contained in:
Justin (shocknet)
GitHub
parent
ca19799c5d
commit
9a343353b2
1 changed files with 49 additions and 0 deletions
49
SECURITY.md
Normal file
49
SECURITY.md
Normal file
|
|
@ -0,0 +1,49 @@
|
||||||
|
# Security Policy
|
||||||
|
|
||||||
|
## Reporting a Security Bug
|
||||||
|
|
||||||
|
The ShockNet team and our open-source community take all security bugs seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.
|
||||||
|
|
||||||
|
To report a security issue, please use the GitHub Security Advisory "Report a Vulnerability" feature on our repository page.
|
||||||
|
|
||||||
|
Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.
|
||||||
|
|
||||||
|
## Responsible Disclosure Guidelines
|
||||||
|
|
||||||
|
We request that you:
|
||||||
|
|
||||||
|
1. Allow us a reasonable amount of time to fix the issue before disclosing it publicly.
|
||||||
|
2. Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of any services.
|
||||||
|
3. Only interact with accounts you own or with explicit permission of the account holder.
|
||||||
|
4. Do not exploit the vulnerability beyond the minimum amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.
|
||||||
|
|
||||||
|
## Scope
|
||||||
|
|
||||||
|
This security policy applies to all ShockNet repositories.
|
||||||
|
|
||||||
|
## Handling of Vulnerability Reports
|
||||||
|
|
||||||
|
1. The security team will acknowledge receipt of your report within 3 business days.
|
||||||
|
2. We will send a more detailed response within 7 days indicating the next steps in handling your report.
|
||||||
|
3. We will keep you informed about the progress towards a fix and full announcement.
|
||||||
|
4. We may ask for additional information or guidance.
|
||||||
|
|
||||||
|
## Bug Bounty Program
|
||||||
|
|
||||||
|
Due to griefing attacks we do not officially offer a paid bug bounty program.
|
||||||
|
|
||||||
|
We may offer a bounty for critical vulnerabilities on a case-by-case basis, payable in Bitcoin. Determining whether a vulnerability qualifies and the amount of the bounty is at our sole discretion.
|
||||||
|
|
||||||
|
We are deeply grateful to security researchers who take the time to investigate and report security vulnerabilities to stengthen the Bitcoin ecosystem.
|
||||||
|
|
||||||
|
## Safe Harbor
|
||||||
|
|
||||||
|
We support safe harbor for security researchers who:
|
||||||
|
|
||||||
|
1. Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
|
||||||
|
2. Only exploit vulnerabilities to the extent necessary to confirm them.
|
||||||
|
3. Do not use an exploit to compromise or exfiltrate user data.
|
||||||
|
4. Cease testing and submit a report immediately upon discovery of a vulnerability.
|
||||||
|
5. Do not publish or share vulnerabilities or associated details other than with the ShockNet team until the team has had a reasonable time to address them.
|
||||||
|
|
||||||
|
Thank you for helping keep our users safe!
|
||||||
Loading…
Add table
Add a link
Reference in a new issue