title | description | version |
---|---|---|
PKI and Software Defects Policy |
Security and Operations Responsible Disclosure Statement. |
2022-03 |
code signing, pki & gpg/pgp
Sam Bacha <[email protected]> (71BB551C7CC9FFB1)
Fingerprint: CAC5 FF21 2568 E075 E4C0 024C 71BB 551C 7CC9 FFB1
KeyId: 7CC9FFB1
Added on March. 24, 2022
At CommodityStream Inc, security is a priority. But regardless of how much effort we put into system security, there may still be vulnerabilities present. If you discover a vulnerability, we want to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our clients and our systems.
If you think you have discovered a security issue in any of the our projects, we’d love to hear from you. We will take all security bugs seriously and if confirmed upon investigation we will patch it within a reasonable amount of time and release a public security bulletin discussing the impact and credit the discoverer.
Warning
|
|
The process the Operations Security Team will follow when dealing with security bugs is detailed below:
-
The person discovering the issue, the reporter, reports the vulnerability privately to
-
Messages that do not relate to the reporting or managing of an undisclosed security vulnerability in our software are ignored and no further action is required.
-
The project team sends an e-mail to the original reporter to acknowledge the report within 12 hours.
-
The project team investigates report and either rejects it or accepts it.
-
If the report is rejected, the project team writes to the reporter to explain why.
-
If the report is accepted, the project team writes to the reporter to let them know it is accepted and that they are working on a fix.
-
The project team requests a CVE number from security at manifoldfinance.com by logging a request at: https://github.com/manifoldfinance/defi-threat
-
The project team agrees the fix on their private list.
-
The project team provides the reporter with a copy of the fix and a draft vulnerability announcement for comment.
-
The project team agrees to the fix, the announcement and the release schedule with the reporter. The level of detail to include in the report is a matter of judgement. Generally, reports should contain enough information to enable people to assess the risk associated with the vulnerability for their system and no more. Steps to reproduce the vulnerability are not normally included.
-
The project team commits the fix. No reference should be made to the commit being related to a security vulnerability.
-
The project team creates a release that includes the fix.
-
The project team announces the release. The release announcement should be sent to the usual mailing lists (typically the project’s user list, dev list, announce list and our public announce list).
-
The project team announces the vulnerability. The vulnerability announcement should be sent after the release announcement to the following destinations:
-
the same destinations as the release announcement
-
the vulnerability reporter
-
github.com/manifoldfinance/defi-threat
We utilize MITRE Corporations ATT\&CK and CVE Process [CVE Form, Mitre.org](https://cveform.mitre.org/)
Submissions should be in the following format
<div class="cveFormatExample">
\[CVEID\]:CVE-2021-0000 \[PRODUCT\]:{$PRODUCT_NAME} \[VERSION\]:0.0.0
\[PROBLEMTYPE\]:Information Disclosure
\[REFERENCES\]:https://github.com/manifoldfinance/\$REPO\[DESCRIPTION\]:
<!-- Description Starts -->
...
<!-- Description Ends -->
</div>
contact: pgp contact: [email protected] telegram: @sambacha