49 lines
2.5 KiB
Markdown
49 lines
2.5 KiB
Markdown
# Security Policy
|
|
|
|
## Reporting a Security Bug
|
|
|
|
The ShockNet team and our open-source community take all security bugs seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.
|
|
|
|
To report a security issue, please use the GitHub Security Advisory "Report a Vulnerability" feature on our repository page.
|
|
|
|
Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.
|
|
|
|
## Responsible Disclosure Guidelines
|
|
|
|
We request that you:
|
|
|
|
1. Allow us a reasonable amount of time to fix the issue before disclosing it publicly.
|
|
2. Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of any services.
|
|
3. Only interact with accounts you own or with explicit permission of the account holder.
|
|
4. Do not exploit the vulnerability beyond the minimum amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.
|
|
|
|
## Scope
|
|
|
|
This security policy applies to all ShockNet repositories.
|
|
|
|
## Handling of Vulnerability Reports
|
|
|
|
1. The security team will acknowledge receipt of your report within 3 business days.
|
|
2. We will send a more detailed response within 7 days indicating the next steps in handling your report.
|
|
3. We will keep you informed about the progress towards a fix and full announcement.
|
|
4. We may ask for additional information or guidance.
|
|
|
|
## Bug Bounty Program
|
|
|
|
Due to griefing attacks we do not officially offer a paid bug bounty program.
|
|
|
|
We may offer a bounty for critical vulnerabilities on a case-by-case basis, payable in Bitcoin. Determining whether a vulnerability qualifies and the amount of the bounty is at our sole discretion.
|
|
|
|
We are deeply grateful to security researchers who take the time to investigate and report security vulnerabilities to stengthen the Bitcoin ecosystem.
|
|
|
|
## Safe Harbor
|
|
|
|
We support safe harbor for security researchers who:
|
|
|
|
1. Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
|
|
2. Only exploit vulnerabilities to the extent necessary to confirm them.
|
|
3. Do not use an exploit to compromise or exfiltrate user data.
|
|
4. Cease testing and submit a report immediately upon discovery of a vulnerability.
|
|
5. Do not publish or share vulnerabilities or associated details other than with the ShockNet team until the team has had a reasonable time to address them.
|
|
|
|
Thank you for helping keep our users safe!
|