From ee12ebf052e98410b21514696e8d7d7f127f4d68 Mon Sep 17 00:00:00 2001 From: Chandragupta Singh Date: Mon, 4 Dec 2023 15:32:48 +0530 Subject: [PATCH 1/5] Security Policy --- SECURITY.md | 70 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..13561e856 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,70 @@ +# Security Policy + +## Introduction + +Security researchers are essential in identifying vulnerabilities that may impact the Comdex ecosystem. If you have discovered a security vulnerability in the Comdex chain or any repository managed by Comdex, we encourage you to notify us using one of the methods outlined below. + +### Guidelines for Responsible Vulnerability Testing and Reporting + +1. **Refrain from testing vulnerabilities on our publicly accessible environments**, including but not limited to: + - Comdex mainnet `comdex-1` + - Comdex frontend + - Comdex public testnets + - Comdex testnet frontend + +2. **Avoid reporting security vulnerabilities through public channels, including GitHub issues** + +## Reporting Security Issues + +### GitHub Private Vulnerability Reporting + +Utilize [GitHub's Private Vulnerability Reporting](https://github.com/comdex-official/comdex/security/advisories/new) for confidential disclosure. + +## Submit Vulnerability Report + +When reporting a vulnerability through either method, please include the following details to aid in our assessment: + +- Type of vulnerability +- Description of the vulnerability +- Steps to reproduce the issue +- Impact of the issue +- Explanation on how an attacker could exploit it + +## Vulnerability Disclosure Process + +1. **Initial Report**: Submit the vulnerability via one of the above channels. +2. **Confirmation**: We will confirm receipt of your report within 48 hours. +3. **Assessment**: Our security team will evaluate the vulnerability and inform you of its severity and the estimated time frame for resolution. +4. **Resolution**: Once fixed, you will be contacted to verify the solution. +5. **Public Disclosure**: Details of the vulnerability may be publicly disclosed after ensuring it poses no further risk. + +During the vulnerability disclosure process, we ask security researchers to keep vulnerabilities and communications around vulnerability submissions private and confidential until a patch is developed. Should a security issue require a network upgrade, additional time may be needed to raise a governance proposal and complete the upgrade. + +During this time: + +- Avoid exploiting any vulnerabilities you discover. +- Demonstrate good faith by not disrupting or degrading Comdex's services. + +## Feature request + +For a feature request, e.g. module inclusion, please make a GitHub issue. Clearly state your use case and what value it will bring to other users or developers on Juno. + +## Severity Characterization + +| Severity | Description | +|--------------|-------------------------------------------------------------------------| +| **CRITICAL** | Immediate threat to critical systems (e.g., chain halts, funds at risk) | +| **HIGH** | Significant impact on major functionality | +| **MEDIUM** | Impacts minor features or exposes non-sensitive data | +| **LOW** | Minimal impact | + +## Bug Bounty + +Though we don't have an official bug bounty program, we generally offer rewards to security researchers who responsibly disclose vulnerabilities to us. Bounties are generally awarded for vulnerabilities classified as **high** or **critical** severity. Bounty amounts will be determined during the disclosure process, after the severity has been assessed. + +> [!WARNING] +> Targeting our production environments will disqualify you from receiving any bounty. + +## Feedback on this Policy + +For recommendations on how to improve this policy, submit a pull request. \ No newline at end of file From 1f91d7fce2aa81464268f4d0bf48cbe1ba3b73e6 Mon Sep 17 00:00:00 2001 From: Chandragupta Singh Date: Mon, 4 Dec 2023 18:33:54 +0530 Subject: [PATCH 2/5] Email added in security doc --- SECURITY.md | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 13561e856..4a83b9c9f 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -14,9 +14,13 @@ Security researchers are essential in identifying vulnerabilities that may impac 2. **Avoid reporting security vulnerabilities through public channels, including GitHub issues** -## Reporting Security Issues +To privately report a security vulnerability, please choose one of the following options: -### GitHub Private Vulnerability Reporting +### 1. Email + +Send your detailed vulnerability report to `dheeraj@comdex.one`. + +### 2. GitHub Private Vulnerability Reporting Utilize [GitHub's Private Vulnerability Reporting](https://github.com/comdex-official/comdex/security/advisories/new) for confidential disclosure. @@ -47,7 +51,7 @@ During this time: ## Feature request -For a feature request, e.g. module inclusion, please make a GitHub issue. Clearly state your use case and what value it will bring to other users or developers on Juno. +For a feature request, e.g. module inclusion, please make a GitHub issue. Clearly state your use case and what value it will bring to other users or developers on comdex. ## Severity Characterization @@ -67,4 +71,4 @@ Though we don't have an official bug bounty program, we generally offer rewards ## Feedback on this Policy -For recommendations on how to improve this policy, submit a pull request. \ No newline at end of file +For recommendations on how to improve this policy, either submit a pull request or send an email to `dheeraj@comdex.one`. \ No newline at end of file From 7d8d61d7c066d0d6ae4f5f5955abc8e13c3788bb Mon Sep 17 00:00:00 2001 From: Dheeraj Dubey Date: Mon, 4 Dec 2023 19:05:05 +0530 Subject: [PATCH 3/5] Update SECURITY.md --- SECURITY.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 4a83b9c9f..1e2c8f622 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -18,7 +18,7 @@ To privately report a security vulnerability, please choose one of the following ### 1. Email -Send your detailed vulnerability report to `dheeraj@comdex.one`. +Send your detailed vulnerability report to `security@comdex.one`. ### 2. GitHub Private Vulnerability Reporting @@ -71,4 +71,4 @@ Though we don't have an official bug bounty program, we generally offer rewards ## Feedback on this Policy -For recommendations on how to improve this policy, either submit a pull request or send an email to `dheeraj@comdex.one`. \ No newline at end of file +For recommendations on how to improve this policy, either submit a pull request or send an email to `dheeraj@comdex.one`. From 1d64d04f202bd3cac3523a614a68ede0731484bc Mon Sep 17 00:00:00 2001 From: Dheeraj Dubey Date: Mon, 4 Dec 2023 19:06:51 +0530 Subject: [PATCH 4/5] Update SECURITY.md --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 1e2c8f622..fbd7ed5cd 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -71,4 +71,4 @@ Though we don't have an official bug bounty program, we generally offer rewards ## Feedback on this Policy -For recommendations on how to improve this policy, either submit a pull request or send an email to `dheeraj@comdex.one`. +For recommendations on how to improve this policy, either submit a pull request or send an email to `security@comdex.one`. From 9d9af804c145119b151e1d8dd1aa73816cf9a6de Mon Sep 17 00:00:00 2001 From: Chandragupta Singh Date: Mon, 4 Dec 2023 19:24:58 +0530 Subject: [PATCH 5/5] linting fixed --- SECURITY.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index fbd7ed5cd..f595fbe4f 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -7,10 +7,11 @@ Security researchers are essential in identifying vulnerabilities that may impac ### Guidelines for Responsible Vulnerability Testing and Reporting 1. **Refrain from testing vulnerabilities on our publicly accessible environments**, including but not limited to: - - Comdex mainnet `comdex-1` - - Comdex frontend - - Comdex public testnets - - Comdex testnet frontend + +- Comdex mainnet `comdex-1` +- Comdex frontend +- Comdex public testnets +- Comdex testnet frontend 2. **Avoid reporting security vulnerabilities through public channels, including GitHub issues** @@ -56,7 +57,7 @@ For a feature request, e.g. module inclusion, please make a GitHub issue. Clearl ## Severity Characterization | Severity | Description | -|--------------|-------------------------------------------------------------------------| +| ------------ | ----------------------------------------------------------------------- | | **CRITICAL** | Immediate threat to critical systems (e.g., chain halts, funds at risk) | | **HIGH** | Significant impact on major functionality | | **MEDIUM** | Impacts minor features or exposes non-sensitive data | @@ -66,9 +67,9 @@ For a feature request, e.g. module inclusion, please make a GitHub issue. Clearl Though we don't have an official bug bounty program, we generally offer rewards to security researchers who responsibly disclose vulnerabilities to us. Bounties are generally awarded for vulnerabilities classified as **high** or **critical** severity. Bounty amounts will be determined during the disclosure process, after the severity has been assessed. -> [!WARNING] +> [!WARNING] > Targeting our production environments will disqualify you from receiving any bounty. ## Feedback on this Policy -For recommendations on how to improve this policy, either submit a pull request or send an email to `security@comdex.one`. +For recommendations on how to improve this policy, either submit a pull request or email `security@comdex.one`.