cosmos-sdk/SECURITY.md

# Security

> **IMPORTANT**: If you find a security issue, you can contact our team directly at
security@tendermint.com, or report it to our [bug bounty program](https://hackerone.com/tendermint) on HackerOne. *DO NOT* open a public issue on the repository.

## Bug Bounty

As part of our [Coordinated Vulnerability Disclosure Policy](https://tendermint.com/security), we operate a
[bug bounty program](https://hackerone.com/tendermint) with Hacker One.

See the policy linked above for more details on submissions and rewards and read
this [blog post](https://blog.cosmos.network/bug-bounty-program-for-tendermint-cosmos-833c67693586) for the program scope.

The following is a list of examples of the kinds of bugs we're most interested
in for the Cosmos SDK. See [here](https://github.com/tendermint/tendermint/blob/master/SECURITY.md) for vulnerabilities we are interested
in for Tendermint and other lower-level libraries (eg. [IAVL](https://github.com/tendermint/iavl)).

### Core packages

- [`/baseapp`](https://github.com/cosmos/cosmos-sdk/tree/master/baseapp)
- [`/crypto`](https://github.com/cosmos/cosmos-sdk/tree/master/crypto)
- [`/types`](https://github.com/cosmos/cosmos-sdk/tree/master/types)
- [`/store`](https://github.com/cosmos/cosmos-sdk/tree/master/store)

### Modules

- [`x/auth`](https://github.com/cosmos/cosmos-sdk/tree/master/x/auth)
- [`x/bank`](https://github.com/cosmos/cosmos-sdk/tree/master/x/bank)
- [`x/capability`](https://github.com/cosmos/cosmos-sdk/tree/master/x/capability)
- [`x/staking`](https://github.com/cosmos/cosmos-sdk/tree/master/x/staking)
- [`x/slashing`](https://github.com/cosmos/cosmos-sdk/tree/master/x/slashing)
- [`x/evidence`](https://github.com/cosmos/cosmos-sdk/tree/master/x/evidence)
- [`x/distribution`](https://github.com/cosmos/cosmos-sdk/tree/master/x/distribution)
- [`x/ibc`](https://github.com/cosmos/cosmos-sdk/tree/master/x/ibc)
- [`x/ibc-transfer`](https://github.com/cosmos/cosmos-sdk/tree/master/x/ibc-transfer)
- [`x/mint`](https://github.com/cosmos/cosmos-sdk/tree/master/x/mint)

We are interested in bugs in other modules, however the above are most likely to
have significant vulnerabilities, due to the complexity / nuance involved. We
also recommend you to read the [specification](https://github.com/cosmos/cosmos-sdk/blob/master/docs/building-modules/README.md) of each module before digging into
the code.

### How we process Tx parameters

- Integer operations on tx parameters, especially `sdk.Int` / `sdk.Dec`
- Gas calculation & parameter choices
- Tx signature verification (see [`x/auth/ante`](https://github.com/cosmos/cosmos-sdk/tree/master/x/auth/ante))
- Possible Node DoS vectors (perhaps due to gas weighting / non constant timing)

### Handling private keys

- HD key derivation, local and Ledger, and all key-management functionality
- Side-channel attack vectors with our implementations
  - e.g. key exfiltration based on time or memory-access patterns when decrypting privkey
Add SECURITY.MD Closes #1267 2018-07-07 11:27:57 -07:00			`# Security`

update SECURITY.md (#5377) * update SECURITY.md * add comment on bug report * format 2019-12-16 11:24:37 -08:00			`> IMPORTANT: If you find a security issue, you can contact our team directly at`
			`security@tendermint.com, or report it to our [bug bounty program](https://hackerone.com/tendermint) on HackerOne. DO NOT open a public issue on the repository.`
Add SECURITY.MD Closes #1267 2018-07-07 11:27:57 -07:00
update SECURITY.md (#5377) * update SECURITY.md * add comment on bug report * format 2019-12-16 11:24:37 -08:00			`## Bug Bounty`
Add SECURITY.MD Closes #1267 2018-07-07 11:27:57 -07:00
update SECURITY.md (#5377) * update SECURITY.md * add comment on bug report * format 2019-12-16 11:24:37 -08:00			`As part of our [Coordinated Vulnerability Disclosure Policy](https://tendermint.com/security), we operate a`
			`[bug bounty program](https://hackerone.com/tendermint) with Hacker One.`
Add SECURITY.MD Closes #1267 2018-07-07 11:27:57 -07:00
update SECURITY.md (#5377) * update SECURITY.md * add comment on bug report * format 2019-12-16 11:24:37 -08:00			`See the policy linked above for more details on submissions and rewards and read`
			`this [blog post](https://blog.cosmos.network/bug-bounty-program-for-tendermint-cosmos-833c67693586) for the program scope.`
Add SECURITY.MD Closes #1267 2018-07-07 11:27:57 -07:00
update SECURITY.md (#5377) * update SECURITY.md * add comment on bug report * format 2019-12-16 11:24:37 -08:00			`The following is a list of examples of the kinds of bugs we're most interested`
			`in for the Cosmos SDK. See [here](https://github.com/tendermint/tendermint/blob/master/SECURITY.md) for vulnerabilities we are interested`
			`in for Tendermint and other lower-level libraries (eg. [IAVL](https://github.com/tendermint/iavl)).`

			`### Core packages`

			- [`/baseapp`](https://github.com/cosmos/cosmos-sdk/tree/master/baseapp)
			- [`/crypto`](https://github.com/cosmos/cosmos-sdk/tree/master/crypto)
			- [`/types`](https://github.com/cosmos/cosmos-sdk/tree/master/types)
			- [`/store`](https://github.com/cosmos/cosmos-sdk/tree/master/store)

			`### Modules`

			- [`x/auth`](https://github.com/cosmos/cosmos-sdk/tree/master/x/auth)
			- [`x/bank`](https://github.com/cosmos/cosmos-sdk/tree/master/x/bank)
update SECURITY.md (#6263) 2020-05-21 02:12:51 -07:00			- [`x/capability`](https://github.com/cosmos/cosmos-sdk/tree/master/x/capability)
update SECURITY.md (#5377) * update SECURITY.md * add comment on bug report * format 2019-12-16 11:24:37 -08:00			- [`x/staking`](https://github.com/cosmos/cosmos-sdk/tree/master/x/staking)
			- [`x/slashing`](https://github.com/cosmos/cosmos-sdk/tree/master/x/slashing)
			- [`x/evidence`](https://github.com/cosmos/cosmos-sdk/tree/master/x/evidence)
			- [`x/distribution`](https://github.com/cosmos/cosmos-sdk/tree/master/x/distribution)
update SECURITY.md (#6263) 2020-05-21 02:12:51 -07:00			- [`x/ibc`](https://github.com/cosmos/cosmos-sdk/tree/master/x/ibc)
			- [`x/ibc-transfer`](https://github.com/cosmos/cosmos-sdk/tree/master/x/ibc-transfer)
			- [`x/mint`](https://github.com/cosmos/cosmos-sdk/tree/master/x/mint)
update SECURITY.md (#5377) * update SECURITY.md * add comment on bug report * format 2019-12-16 11:24:37 -08:00
			`We are interested in bugs in other modules, however the above are most likely to`
			`have significant vulnerabilities, due to the complexity / nuance involved. We`
			`also recommend you to read the [specification](https://github.com/cosmos/cosmos-sdk/blob/master/docs/building-modules/README.md) of each module before digging into`
			`the code.`

			`### How we process Tx parameters`

			- Integer operations on tx parameters, especially `sdk.Int` / `sdk.Dec`
			`- Gas calculation & parameter choices`
			- Tx signature verification (see [`x/auth/ante`](https://github.com/cosmos/cosmos-sdk/tree/master/x/auth/ante))
			`- Possible Node DoS vectors (perhaps due to gas weighting / non constant timing)`

			`### Handling private keys`
Add SECURITY.MD Closes #1267 2018-07-07 11:27:57 -07:00
			`- HD key derivation, local and Ledger, and all key-management functionality`
			`- Side-channel attack vectors with our implementations`
Address comments 2018-07-07 12:44:06 -07:00			`- e.g. key exfiltration based on time or memory-access patterns when decrypting privkey`