Add new bounty and audits in progress (#1516)
* Add new bounty * Fix typos * Update SECURITY.md Co-authored-by: Jeff Schroeder <jeffschroeder@computer.org> * Update SECURITY.md Co-authored-by: Jeff Schroeder <jeffschroeder@computer.org> * Update SECURITY.md Co-authored-by: Jeff Schroeder <jeffschroeder@computer.org> * Update SECURITY.md Co-authored-by: Jeff Schroeder <jeffschroeder@computer.org> * Add audits in progress Co-authored-by: Jeff Schroeder <jeffschroeder@computer.org>
This commit is contained in:
Jonathan Claudius
GitHub
parent
811e17afb0
commit
fdc51433c6
44
SECURITY.md
44
SECURITY.md
|
|
@ -2,13 +2,19 @@
|
|||
|
||||
## Bug Bounty Program
|
||||
|
||||
We operate a **[bug bounty program](https://immunefi.com/bounty/wormhole/)** to financially incentivize independent researchers (with up to $10,000,000 USDC) to find and responsibly disclose security issues in Wormhole.
|
||||
The Wormhole project operates two bug bounty programs to financially incentivize independent researchers for finding and responsibly disclosing security issues.
|
||||
|
||||
If you find a security issue in wormhole, we ask that you immediately **[report the bug](https://immunefi.com/bounty/wormhole/)** to our security team.
|
||||
- [Self-Hosted Program](https://wormhole.com/bounty/)
|
||||
- **Scopes**: Guardian and Smart Contracts
|
||||
- **Rewards**: Up to $10,000,000 USDC
|
||||
- [Immunefi-Hosted Program](https://immunefi.com/bounty/wormhole/)
|
||||
- **Scopes**: Guardian and Smart Contracts
|
||||
- **Rewards**: Up to $10,000,000 USDC
|
||||
|
||||
If you find a security issue in Wormhole, please report the issue immediately.
|
||||
## 3rd Party Security Audits
|
||||
|
||||
We engage 3rd party firms to conduct independent security audits of Wormhole. At any given time, we likely have multiple audit streams in progress.
|
||||
The Wormhole project engages 3rd party firms to conduct independent security audits of Wormhole. At any given time, multiple audit streams are likely in progress.
|
||||
|
||||
As these 3rd party audits are completed and issues are sufficiently addressed, we make those audit reports public.
|
||||
|
||||
|
|
@ -17,26 +23,36 @@ As these 3rd party audits are completed and issues are sufficiently addressed, w
|
|||
- **[July 1, 2022 - Kudelski](https://storage.googleapis.com/wormhole-audits/2022-07-01_kudelski.pdf)**
|
||||
- **Scopes**: _Ethereum Contracts, Solana Contracts, Terra Contracts, and Guardian_
|
||||
- **[August 16, 2022 - Kudelski](https://storage.googleapis.com/wormhole-audits/2022-08-16_kudelski.pdf)**
|
||||
- **Scopes**: _Algorand Contracts_
|
||||
- **Scope**: _Algorand Contracts_
|
||||
- **Q3 2022 - OtterSec (DRAFT)**
|
||||
- **Scope**: _NEAR Contracts_
|
||||
- **Q3 2022 - Halborn (DRAFT)**
|
||||
- **Scope**: _Wormchain and Accounting_
|
||||
- **Q3 2022 - Certik (DRAFT)**
|
||||
- **Scope**: _Ethereum Contracts, Solana Contracts, Terra Contracts, Guardian, and Solitaire_
|
||||
- **Q3 2022 - Trail of Bits (TESTING)**
|
||||
- **Scope**: _Ethereum Contracts and Solana Contracts_
|
||||
- **Q3 2022 - Coinspect (SCHEDULED)**
|
||||
- **Scope**: _Algorand Contracts_
|
||||
|
||||
## White-Hat Hacking on Wormhole
|
||||
|
||||
We want to lower the bar for White-hat hackers to find security bugs in Wormhole. Why? The easier we make this process, the more likely it will be for white-hats to find bugs in Wormhole and responsibly disclose them, helping to secure the network.
|
||||
The Wormhole project wants to lower the bar for White-hat hackers to find security bugs in Wormhole. Why? The easier this process, the more likely it will be for white-hats to find bugs in Wormhole and responsibly disclose them, helping to secure the network.
|
||||
|
||||
Here's a list of strategies we've found helpful for getting started on Wormhole:
|
||||
Here's a list of strategies that are helpful for getting started on Wormhole:
|
||||
|
||||
- Review the existing unit and integration testing (found in [CONTRIBUTING.md](https://github.com/wormhole-foundation/wormhole/blob/dev.v2/CONTRIBUTING.md)) and see what we're already testing for.
|
||||
- Check out places were we might be missing test coverage entirely. This could be a ripe spot to look for something we missed.
|
||||
- Check out places were we have unit/integration tests, but we lack sufficient [negative test](https://en.wikipedia.org/wiki/Negative_testing) coverage.
|
||||
- Review our different smart contract implementations (eg. Solana, EVM, CosmWasm, Move) and attempt to understand how and why they are different.
|
||||
- Review the existing unit and integration testing (found in [CONTRIBUTING.md](https://github.com/wormhole-foundation/wormhole/blob/dev.v2/CONTRIBUTING.md)) and see what is already being testing for.
|
||||
- Check out places where there might be missing test coverage entirely. This could be a ripe spot to look for something we missed.
|
||||
- Check out places where there are unit/integration tests, but they lack sufficient [negative test](https://en.wikipedia.org/wiki/Negative_testing) coverage.
|
||||
- Review different smart contract implementations (eg. Solana, EVM, CosmWasm, Move) and attempt to understand how and why they are different.
|
||||
- Does one chain have a safety check that another chain doesn't?
|
||||
- Does one chain have a specific set of nuances / gotchas that that were missed on another chain?
|
||||
- Consider going beyond the source code
|
||||
- Review the deployed contracts on chain. Is something odd that we missed?
|
||||
- Review the deployed contracts on chain. Is something odd that may have been missed?
|
||||
|
||||
We'll continue to iterate on this list of white-hat bootstrap strategies as we grow our lessons learned internally hacking on Wormhole and from other white-hats who have been successful via our bug bounty program.
|
||||
This section will continue iterating on white-hat bootstrap strategies as lessons are learned hacking on Wormhole and from community members.
|
||||
|
||||
It's important to remember this is an iterative process. If you spend the time to come up with a new test case, but didn't actually find a bug, we'd be extremely appreciative if you'd be willing to send a [pull request](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request) with additional positive and negative test cases. This process has shown repeatedly to improve your ability to understand Wormhole, and will increase your odds of success.
|
||||
It's important to remember this is an iterative process and to stay positive. If you spend the time coming up with a new test case, but didn't actually find a bug, please send a [pull request](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request) with additional positive and negative test cases. This process has shown repeatedly to improve your ability to understand Wormhole, and will increase your odds of finding future bugs.
|
||||
|
||||
## Guidance to Chain Integrators
|
||||
|
||||
|
|
@ -58,4 +74,4 @@ Additionally, ensure:
|
|||
- The Wormhole team has sufficient contact information and an associated call or page tree to reach you in the event of a security incident.
|
||||
- That Wormhole has the full upgrade authority on relevant bridge contracts to act quickly in the case of a security incident.
|
||||
- You have an established incident response program in place, with established patterns and playbooks to ensure deterministic outcomes for containment.
|
||||
- When security issues do occur, that the chain makes every attempt to inform affected parties and leads with transparency.
|
||||
- When security issues do occur, please make sure that the chain makes every attempt to inform affected parties and leads with transparency.
|
||||
Loading…
Reference in New Issue