update SECURITY.md (#5377)

* update SECURITY.md * add comment on bug report * format
2019-12-16 16:24:37 -03:00 · 2019-12-16 16:24:37 -03:00 · b7ec16951f
parent b04dcf2be0
commit b7ec16951f
2 changed files with 51 additions and 22 deletions
--- a/.github/ISSUE_TEMPLATE/bug-report.md
+++ b/.github/ISSUE_TEMPLATE/bug-report.md
@ -10,21 +10,27 @@ v    Before smashing the submit button please review the template.
 v    Please also ensure that this is not a duplicate issue :)  
 ☺ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >  -->

+<!--
+IMPORTANT: Prior to opening a bug report, check if it affects one of the core modules
+and if its elegible for a bug bounty on `SECURITY.md`. Bugs that are not submitted
+through the appropriate channels won't receive any bounty.
+ -->
+
 ## Summary of Bug

 <!-- Concisely describe the issue -->

 ## Version

-<!-- git commit hash -->
+<!-- git commit hash or release version -->

 ## Steps to Reproduce

-<!-- What commands in order should someone run to reproduce your problem -->
+<!-- What commands in order should someone run to reproduce your problem? -->

 ____

-#### For Admin Use
+## For Admin Use

 - [ ] Not duplicate issue
 - [ ] Appropriate labels applied
--- a/SECURITY.md
+++ b/SECURITY.md
@ -1,29 +1,52 @@
 # Security

-As part of our [Coordinated Vulnerability Disclosure
-Policy](https://tendermint.com/security), we operate a bug bounty.
-See the policy for more details on submissions and rewards.
+> **IMPORTANT**: If you find a security issue, you can contact our team directly at
+security@tendermint.com, or report it to our [bug bounty program](https://hackerone.com/tendermint) on HackerOne. *DO NOT* open a public issue on the repository.

-The following is a list of examples of the kinds of bugs we're most interested in for
-the Cosmos SDK. See [here](https://github.com/tendermint/tendermint/blob/master/SECURITY.md) for vulnerabilities we are interested in for Tendermint, and lower-level libraries, e.g. IAVL.
+## Bug Bounty

-## Modules 
- x/staking
- x/slashing
- x/types
- x/gov
+As part of our [Coordinated Vulnerability Disclosure Policy](https://tendermint.com/security), we operate a
+[bug bounty program](https://hackerone.com/tendermint) with Hacker One.

-We are interested in bugs in other modules, however the above are most likely to have 
-significant vulnerabilities, due to the complexity / nuance involved
+See the policy linked above for more details on submissions and rewards and read
+this [blog post](https://blog.cosmos.network/bug-bounty-program-for-tendermint-cosmos-833c67693586) for the program scope.

-## How we process Tx parameters
- Integer operations on tx parameters, especially sdk.Int / sdk.Uint
- Gas calculation & parameter choices 
- Tx signature verification (code in x/auth/ante.go)
- Possible Node DoS vectors. (Perhaps due to Gas weighting / non constant timing)
+The following is a list of examples of the kinds of bugs we're most interested
+in for the Cosmos SDK. See [here](https://github.com/tendermint/tendermint/blob/master/SECURITY.md) for vulnerabilities we are interested
+in for Tendermint and other lower-level libraries (eg. [IAVL](https://github.com/tendermint/iavl)).
+
+### Core packages
+
+- [`/baseapp`](https://github.com/cosmos/cosmos-sdk/tree/master/baseapp)
+- [`/crypto`](https://github.com/cosmos/cosmos-sdk/tree/master/crypto)
+- [`/types`](https://github.com/cosmos/cosmos-sdk/tree/master/types)
+- [`/store`](https://github.com/cosmos/cosmos-sdk/tree/master/store)
+
+### Modules
+
+- [`x/auth`](https://github.com/cosmos/cosmos-sdk/tree/master/x/auth)
+- [`x/bank`](https://github.com/cosmos/cosmos-sdk/tree/master/x/bank)
+- [`x/staking`](https://github.com/cosmos/cosmos-sdk/tree/master/x/staking)
+- [`x/slashing`](https://github.com/cosmos/cosmos-sdk/tree/master/x/slashing)
+- [`x/evidence`](https://github.com/cosmos/cosmos-sdk/tree/master/x/evidence)
+- [`x/distribution`](https://github.com/cosmos/cosmos-sdk/tree/master/x/distribution)
+- [`x/supply`](https://github.com/cosmos/cosmos-sdk/tree/master/x/supply)
+- [`x/ibc`](https://github.com/cosmos/cosmos-sdk/tree/ibc-alpha/x/ibc) (currently in alpha mode)
+
+We are interested in bugs in other modules, however the above are most likely to
+have significant vulnerabilities, due to the complexity / nuance involved. We
+also recommend you to read the [specification](https://github.com/cosmos/cosmos-sdk/blob/master/docs/building-modules/README.md) of each module before digging into
+the code.
+
+### How we process Tx parameters
+
+- Integer operations on tx parameters, especially `sdk.Int` / `sdk.Dec`
+- Gas calculation & parameter choices
+- Tx signature verification (see [`x/auth/ante`](https://github.com/cosmos/cosmos-sdk/tree/master/x/auth/ante))
+- Possible Node DoS vectors (perhaps due to gas weighting / non constant timing)
+
+### Handling private keys

-## Handling private keys
 - HD key derivation, local and Ledger, and all key-management functionality
 - Side-channel attack vectors with our implementations
  - e.g. key exfiltration based on time or memory-access patterns when decrypting privkey
-