update SECURITY.md (cosmos#5377)

* update SECURITY.md * add comment on bug report * format
crypto-niac · Dec 16, 2019 · b7ec169 · b7ec169
1 parent b04dcf2
commit b7ec169
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 22 deletions.
diff --git a/.github/ISSUE_TEMPLATE/bug-report.md b/.github/ISSUE_TEMPLATE/bug-report.md
@@ -10,21 +10,27 @@ v    Before smashing the submit button please review the template.
 v    Please also ensure that this is not a duplicate issue :)  
 ☺ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >  -->
 
+<!--
+IMPORTANT: Prior to opening a bug report, check if it affects one of the core modules
+and if its elegible for a bug bounty on `SECURITY.md`. Bugs that are not submitted
+through the appropriate channels won't receive any bounty.
+ -->
+
 ## Summary of Bug
 
 <!-- Concisely describe the issue -->
 
 ## Version
 
-<!-- git commit hash -->
+<!-- git commit hash or release version -->
 
 ## Steps to Reproduce
 
-<!-- What commands in order should someone run to reproduce your problem -->
+<!-- What commands in order should someone run to reproduce your problem? -->
 
 ____
 
-#### For Admin Use
+## For Admin Use
 
 - [ ] Not duplicate issue
 - [ ] Appropriate labels applied

diff --git a/SECURITY.md b/SECURITY.md
@@ -1,29 +1,52 @@
 # Security
 
-As part of our [Coordinated Vulnerability Disclosure
-Policy](https://tendermint.com/security), we operate a bug bounty.
-See the policy for more details on submissions and rewards.
+> **IMPORTANT**: If you find a security issue, you can contact our team directly at
+[email protected], or report it to our [bug bounty program](https://hackerone.com/tendermint) on HackerOne. *DO NOT* open a public issue on the repository.
 
-The following is a list of examples of the kinds of bugs we're most interested in for
-the Cosmos SDK. See [here](https://github.com/tendermint/tendermint/blob/master/SECURITY.md) for vulnerabilities we are interested in for Tendermint, and lower-level libraries, e.g. IAVL.
+## Bug Bounty
 
-## Modules 
-- x/staking
-- x/slashing
-- x/types
-- x/gov
+As part of our [Coordinated Vulnerability Disclosure Policy](https://tendermint.com/security), we operate a
+[bug bounty program](https://hackerone.com/tendermint) with Hacker One.
 
-We are interested in bugs in other modules, however the above are most likely to have 
-significant vulnerabilities, due to the complexity / nuance involved
+See the policy linked above for more details on submissions and rewards and read
+this [blog post](https://blog.cosmos.network/bug-bounty-program-for-tendermint-cosmos-833c67693586) for the program scope.
 
-## How we process Tx parameters
-- Integer operations on tx parameters, especially sdk.Int / sdk.Uint
-- Gas calculation & parameter choices 
-- Tx signature verification (code in x/auth/ante.go)
-- Possible Node DoS vectors. (Perhaps due to Gas weighting / non constant timing)
+The following is a list of examples of the kinds of bugs we're most interested
+in for the Cosmos SDK. See [here](https://github.com/tendermint/tendermint/blob/master/SECURITY.md) for vulnerabilities we are interested
+in for Tendermint and other lower-level libraries (eg. [IAVL](https://github.com/tendermint/iavl)).
+
+### Core packages
+
+- [`/baseapp`](https://github.com/cosmos/cosmos-sdk/tree/master/baseapp)
+- [`/crypto`](https://github.com/cosmos/cosmos-sdk/tree/master/crypto)
+- [`/types`](https://github.com/cosmos/cosmos-sdk/tree/master/types)
+- [`/store`](https://github.com/cosmos/cosmos-sdk/tree/master/store)
+
+### Modules
+
+- [`x/auth`](https://github.com/cosmos/cosmos-sdk/tree/master/x/auth)
+- [`x/bank`](https://github.com/cosmos/cosmos-sdk/tree/master/x/bank)
+- [`x/staking`](https://github.com/cosmos/cosmos-sdk/tree/master/x/staking)
+- [`x/slashing`](https://github.com/cosmos/cosmos-sdk/tree/master/x/slashing)
+- [`x/evidence`](https://github.com/cosmos/cosmos-sdk/tree/master/x/evidence)
+- [`x/distribution`](https://github.com/cosmos/cosmos-sdk/tree/master/x/distribution)
+- [`x/supply`](https://github.com/cosmos/cosmos-sdk/tree/master/x/supply)
+- [`x/ibc`](https://github.com/cosmos/cosmos-sdk/tree/ibc-alpha/x/ibc) (currently in alpha mode)
+
+We are interested in bugs in other modules, however the above are most likely to
+have significant vulnerabilities, due to the complexity / nuance involved. We
+also recommend you to read the [specification](https://github.com/cosmos/cosmos-sdk/blob/master/docs/building-modules/README.md) of each module before digging into
+the code.
+
+### How we process Tx parameters
+
+- Integer operations on tx parameters, especially `sdk.Int` / `sdk.Dec`
+- Gas calculation & parameter choices
+- Tx signature verification (see [`x/auth/ante`](https://github.com/cosmos/cosmos-sdk/tree/master/x/auth/ante))
+- Possible Node DoS vectors (perhaps due to gas weighting / non constant timing)
+
+### Handling private keys
 
-## Handling private keys
 - HD key derivation, local and Ledger, and all key-management functionality
 - Side-channel attack vectors with our implementations
   - e.g. key exfiltration based on time or memory-access patterns when decrypting privkey
-