Add SECURITY and README updates

This commit is contained in:
claudijd 2022-07-19 17:17:50 -04:00 committed by Conor Patrick
parent 63d6cfe5d8
commit a555f0e051
2 changed files with 82 additions and 211 deletions

159
README.md
View File

@ -1,84 +1,75 @@
<!--
parent:
order: false
-->
<div align="center">
<h1> Cosmos SDK </h1>
</div>
![banner](docs/cosmos-sdk-image.jpg)
<div align="center">
<a href="https://github.com/cosmos/cosmos-sdk/releases/latest">
<img alt="Version" src="https://img.shields.io/github/tag/cosmos/cosmos-sdk.svg" />
</a>
<a href="https://github.com/cosmos/cosmos-sdk/blob/master/LICENSE">
<img alt="License: Apache-2.0" src="https://img.shields.io/github/license/cosmos/cosmos-sdk.svg" />
</a>
<a href="https://pkg.go.dev/github.com/cosmos/cosmos-sdk?tab=doc">
<img alt="GoDoc" src="https://godoc.org/github.com/cosmos/cosmos-sdk?status.svg" />
</a>
<a href="https://goreportcard.com/report/github.com/cosmos/cosmos-sdk">
<img alt="Go report card" src="https://goreportcard.com/badge/github.com/cosmos/cosmos-sdk" />
</a>
<a href="https://codecov.io/gh/cosmos/cosmos-sdk">
<img alt="Code Coverage" src="https://codecov.io/gh/cosmos/cosmos-sdk/branch/master/graph/badge.svg" />
</a>
</div>
<div align="center">
<a href="https://github.com/cosmos/cosmos-sdk">
<img alt="Lines Of Code" src="https://tokei.rs/b1/github/cosmos/cosmos-sdk" />
</a>
<a href="https://discord.gg/AzefAFd">
<img alt="Discord" src="https://img.shields.io/discord/669268347736686612.svg" />
</a>
<a href="https://sourcegraph.com/github.com/cosmos/cosmos-sdk?badge">
<img alt="Imported by" src="https://sourcegraph.com/github.com/cosmos/cosmos-sdk/-/badge.svg" />
</a>
<img alt="Sims" src="https://github.com/cosmos/cosmos-sdk/workflows/Sims/badge.svg" />
<img alt="Lint Satus" src="https://github.com/cosmos/cosmos-sdk/workflows/Lint/badge.svg" />
</div>
The Cosmos SDK is a framework for building blockchain applications. [Tendermint Core (BFT Consensus)](https://github.com/tendermint/tendermint) and the Cosmos SDK are written in the Golang programming language. Cosmos SDK is used to build [Gaia](https://github.com/cosmos/gaia), the first implementation of the Cosmos Hub.
**WARNING**: The Cosmos SDK has mostly stabilized, but we are still making some
breaking changes.
**Note**: Requires [Go 1.18+](https://golang.org/dl/)
## Quick Start
To learn how the Cosmos SDK works from a high-level perspective, see the Cosmos SDK [High-Level Intro](./docs/intro/overview.md).
If you want to get started quickly and learn how to build on top of Cosmos SDK, visit [Cosmos SDK Tutorials](https://tutorials.cosmos.network). You can also fork the tutorial's repository to get started building your own Cosmos SDK application.
For more information, see the [Cosmos SDK Documentation](./docs/).
## Contributing
See [CONTRIBUTING.md](./CONTRIBUTING.md) for details how to contribute and participate in our [dev calls](./CONTRIBUTING.md#teams-dev-calls).
If you want to follow the updates or learn more about the latest design then join our [Discord](https://discord.com/invite/cosmosnetwork).
## Tools and Frameworks
The Cosmos ecosystem is vast. We will only make a few notable mentions here.
+ [Tools](https://v1.cosmos.network/tools): notable frameworks and modules.
+ [CosmJS](https://github.com/cosmos/cosmjs): the Swiss Army knife to power JavaScript based client solutions.
### Cosmos Hub Mainnet
The Cosmos Hub application, `gaia`, has moved to its own [cosmos/gaia repository](https://github.com/cosmos/gaia). Go there to join the Cosmos Hub mainnet and more.
### Inter-Blockchain Communication (IBC)
The IBC module for the Cosmos SDK has moved to its own [cosmos/ibc-go repository](https://github.com/cosmos/ibc-go). Go there to build and integrate with the IBC module.
### Ignite CLI
Ignite CLI is the all-in-one platform to build, launch, and maintain any crypto application on a sovereign and secured blockchain. If you are building a new app or a new module, use [Ignite CLI](https://github.com/ignite-hq/cli) to get started and speed up development.
## Disambiguation
This Cosmos SDK project is not related to the [React-Cosmos](https://github.com/react-cosmos/react-cosmos) project (yet). Many thanks to Evan Coury and Ovidiu (@skidding) for this Github organization name. As per our agreement, this disambiguation notice will stay here.
<!--
parent:
order: false
-->
**WARNING**: This is a fork of the cosmos-sdk for the purposes of Wormhole.
<div align="center">
<h1> Cosmos SDK </h1>
</div>
![banner](docs/cosmos-sdk-image.jpg)
<div align="center">
<a href="https://github.com/cosmos/cosmos-sdk/releases/latest">
<img alt="Version" src="https://img.shields.io/github/tag/cosmos/cosmos-sdk.svg" />
</a>
<a href="https://github.com/cosmos/cosmos-sdk/blob/master/LICENSE">
<img alt="License: Apache-2.0" src="https://img.shields.io/github/license/cosmos/cosmos-sdk.svg" />
</a>
<a href="https://pkg.go.dev/github.com/cosmos/cosmos-sdk?tab=doc">
<img alt="GoDoc" src="https://godoc.org/github.com/cosmos/cosmos-sdk?status.svg" />
</a>
<a href="https://goreportcard.com/report/github.com/cosmos/cosmos-sdk">
<img alt="Go report card" src="https://goreportcard.com/badge/github.com/cosmos/cosmos-sdk" />
</a>
<a href="https://codecov.io/gh/cosmos/cosmos-sdk">
<img alt="Code Coverage" src="https://codecov.io/gh/cosmos/cosmos-sdk/branch/master/graph/badge.svg" />
</a>
</div>
<div align="center">
<a href="https://github.com/cosmos/cosmos-sdk">
<img alt="Lines Of Code" src="https://tokei.rs/b1/github/cosmos/cosmos-sdk" />
</a>
<a href="https://discord.gg/AzefAFd">
<img alt="Discord" src="https://img.shields.io/discord/669268347736686612.svg" />
</a>
<a href="https://sourcegraph.com/github.com/cosmos/cosmos-sdk?badge">
<img alt="Imported by" src="https://sourcegraph.com/github.com/cosmos/cosmos-sdk/-/badge.svg" />
</a>
<img alt="Sims" src="https://github.com/cosmos/cosmos-sdk/workflows/Sims/badge.svg" />
<img alt="Lint Satus" src="https://github.com/cosmos/cosmos-sdk/workflows/Lint/badge.svg" />
</div>
The Cosmos-SDK is a framework for building blockchain applications in Golang.
It is being used to build [`Gaia`](https://github.com/cosmos/gaia), the first implementation of the Cosmos Hub.
**WARNING**: The SDK has mostly stabilized, but we are still making some
breaking changes.
**Note**: Requires [Go 1.15+](https://golang.org/dl/)
## Quick Start
To learn how the SDK works from a high-level perspective, go to the [SDK Intro](./docs/intro/overview.md).
If you want to get started quickly and learn how to build on top of the SDK, please follow the [SDK Application Tutorial](https://tutorials.cosmos.network/nameservice/tutorial/00-intro.html). You can also fork the tutorial's repository to get started building your own Cosmos SDK application.
For more, please go to the [Cosmos SDK Docs](./docs/).
## Cosmos Hub Mainnet
The Cosmos Hub application, `gaia`, has moved to its [own repository](https://github.com/cosmos/gaia). Go there to join the Cosmos Hub mainnet and more.
## Interblockchain Communication (IBC)
The IBC module for the SDK has moved to its [own repository](https://github.com/cosmos/ibc-go). Go there to build and integrate with the IBC module.
## Starport
If you are starting a new app or a new module you can use [Starport](https://github.com/tendermint/starport) to help you get started and speed up development. If you have any questions or find a bug, feel free to open an issue in the repo.
## Disambiguation
This Cosmos-SDK project is not related to the [React-Cosmos](https://github.com/react-cosmos/react-cosmos) project (yet). Many thanks to Evan Coury and Ovidiu (@skidding) for this Github organization name. As per our agreement, this disambiguation notice will stay here.

View File

@ -1,134 +1,14 @@
# Security
> **IMPORTANT**: If you find a security issue, you can contact our team directly at
security@tendermint.com, or report it to our [bug bounty program](https://hackerone.com/tendermint) on HackerOne. *DO NOT* open a public issue on the repository.
> **IMPORTANT**: If you find a security issue in the upstream version of the cosmos-sdk, you should refer to the upstream [SECURITY.md](https://github.com/cosmos/cosmos-sdk/blob/main/SECURITY.md).
## Bug Bounty Program
## Bug Bounty
This repository and it's changes from the upstream cosmos-sdk are not currently included in the [Wormhole bug bounty program](https://immunefi.com/bounty/wormhole/), but may be added in the future.
As part of our [Coordinated Vulnerability Disclosure Policy](https://tendermint.com/security), we operate a
[bug bounty program](https://hackerone.com/tendermint) with Hacker One.
In the mean-time, if you find a security issue, we ask that you reach out to our team via [Discord](https://discord.gg/wormholecrypto).
See the policy linked above for more details on submissions and rewards and read
this [blog post](https://blog.cosmos.network/bug-bounty-program-for-tendermint-cosmos-833c67693586) for the program scope.
## 3rd Party Security Audits
The following is a list of examples of the kinds of bugs we're most interested
in for the Cosmos SDK. See [here](https://github.com/tendermint/tendermint/blob/master/SECURITY.md) for vulnerabilities we are interested
in for Tendermint and other lower-level libraries (eg. [IAVL](https://github.com/tendermint/iavl)).
We engage 3rd party firms to conduct independent security audits of Wormhole. At any given time, we likely have multiple audit streams in progress.
### Core packages
- [`/baseapp`](https://github.com/cosmos/cosmos-sdk/tree/master/baseapp)
- [`/crypto`](https://github.com/cosmos/cosmos-sdk/tree/master/crypto)
- [`/types`](https://github.com/cosmos/cosmos-sdk/tree/master/types)
- [`/store`](https://github.com/cosmos/cosmos-sdk/tree/master/store)
### Modules
- [`x/auth`](https://github.com/cosmos/cosmos-sdk/tree/master/x/auth)
- [`x/bank`](https://github.com/cosmos/cosmos-sdk/tree/master/x/bank)
- [`x/capability`](https://github.com/cosmos/cosmos-sdk/tree/master/x/capability)
- [`x/staking`](https://github.com/cosmos/cosmos-sdk/tree/master/x/staking)
- [`x/slashing`](https://github.com/cosmos/cosmos-sdk/tree/master/x/slashing)
- [`x/evidence`](https://github.com/cosmos/cosmos-sdk/tree/master/x/evidence)
- [`x/distribution`](https://github.com/cosmos/cosmos-sdk/tree/master/x/distribution)
- [`x/ibc`](https://github.com/cosmos/cosmos-sdk/tree/master/x/ibc)
- [`x/ibc-transfer`](https://github.com/cosmos/cosmos-sdk/tree/master/x/ibc-transfer)
- [`x/mint`](https://github.com/cosmos/cosmos-sdk/tree/master/x/mint)
We are interested in bugs in other modules, however the above are most likely to
have significant vulnerabilities, due to the complexity / nuance involved. We
also recommend you to read the [specification](https://github.com/cosmos/cosmos-sdk/blob/master/docs/building-modules/README.md) of each module before digging into
the code.
### How we process Tx parameters
- Integer operations on tx parameters, especially `sdk.Int` / `sdk.Dec`
- Gas calculation & parameter choices
- Tx signature verification (see [`x/auth/ante`](https://github.com/cosmos/cosmos-sdk/tree/master/x/auth/ante))
- Possible Node DoS vectors (perhaps due to gas weighting / non constant timing)
### Handling private keys
- HD key derivation, local and Ledger, and all key-management functionality
- Side-channel attack vectors with our implementations
- e.g. key exfiltration based on time or memory-access patterns when decrypting privkey
## Disclosure Process
The Cosmos SDK team uses the following disclosure process:
1. After a security report is received, the Cosmos SDK team works to verify the issue and confirm its severity level using Common Vulnerability Scoring System (CVSS).
1. The Cosmos SDK team collaborates with the Tendermint and Gaia teams to determine the vulnerabilitys potential impact on the Cosmos Hub and partners.
1. Patches are prepared in private repositories for eligible releases of Cosmos SDK. See [Stable Releases](https://github.com/cosmos/cosmos-sdk/blob/master/STABLE_RELEASES.md) for a list of eligible releases.
1. If it is determined that a CVE-ID is required, we request a CVE through a CVE Numbering Authority.
1. We notify the community that a security release is coming to give users time to prepare their systems for the update. Notifications can include forum posts, tweets, and emails to partners and validators.
1. 24 hours after the notification, fixes are applied publicly and new releases are issued.
1. The Gaia team updates their Tendermint Core and Cosmos SDK dependencies to use these releases and then issues new Gaia releases.
1. After releases are available for Tendermint Core, Cosmos SDK, and Gaia, we notify the community again through the same channels. We also publish a Security Advisory on Github and publish the CVE, as long as the Security Advisory and the CVE do not include information on how to exploit these vulnerabilities beyond the information that is available in the patch.
1. After the community is notified, Tendermint pays out any relevant bug bounties to submitters.
1. One week after the releases go out, we publish a post with details and our response to the vulnerability.
This process can take some time. Every effort is made to handle the bug in as timely a manner as possible. However, it's important that we follow this security process to ensure that disclosures are handled consistently and to keep Cosmos SDK and its downstream dependent projects--including but not limited to Gaia and the Cosmos Hub--as secure as possible.
### Disclosure Communications
Communications to partners usually include the following details:
1. Affected version or versions
1. New release version
1. Impact on user funds
1. For timed releases, a date and time that the new release will be made available
1. Impact on the partners if upgrades are not completed in a timely manner
1. Potential required actions if an adverse condition arises during the security release process
An example notice looks like:
```
Dear Cosmos SDK partners,
A critical security vulnerability has been identified in Cosmos SDK vX.X.X.
User funds are NOT at risk; however, the vulnerability can result in a chain halt.
This notice is to inform you that on [[**March 1 at 1pm EST/6pm UTC**]], we will be releasing Cosmos SDK vX.X.Y to fix the security issue.
We ask all validators to upgrade their nodes ASAP.
If the chain halts, validators with sufficient voting power must upgrade and come online for the chain to resume.
```
### Example Timeline
The following timeline is an example of triage and response. Each task identifies the required roles and team members; however, multiple people can play each role and each person may play multiple roles.
#### 24+ Hours Before Release Time
1. Request CVE number (ADMIN)
1. Gather emails and other contact info for validators (COMMS LEAD)
1. Test fixes on a testnet (COSMOS SDK ENG)
1. Write “Security Advisory” for forum (COSMOS SDK LEAD)
#### 24 Hours Before Release Time
1. Post “Security Advisory” pre-notification on forum (COSMOS SDK LEAD)
1. Post Tweet linking to forum post (COMMS LEAD)
1. Announce security advisory/link to post in various other social channels (Telegram, Discord) (COMMS LEAD)
1. Send emails to partners or other users (PARTNERSHIPS LEAD)
#### Release Time
1. Cut Cosmos SDK releases for eligible versions (COSMOS SDK ENG)
1. Cut Gaia release for eligible versions (GAIA ENG)
1. Post “Security releases” on forum (COSMOS SDK LEAD)
1. Post new Tweet linking to forum post (COMMS LEAD)
1. Remind everyone using social channels (Telegram, Discord) that the release is out (COMMS LEAD)
1. Send emails to validators and other users (COMMS LEAD)
1. Publish Security Advisory and CVE if the CVE has no sensitive information (ADMIN)
#### After Release Time
1. Write forum post with exploit details (COSMOS SDK LEAD)
1. Approve payout on HackerOne for submitter (ADMIN)
#### 7 Days After Release Time
1. Publish CVE if it has not yet been published (ADMIN)
1. Publish forum post with exploit details (COSMOS SDK ENG, COSMOS SDK LEAD)
As these 3rd party audits are completed and issues are sufficiently addressed, we make those audit reports public.