Skip to content

Commit

Permalink
docs: update security policy scope (#5360)
Browse files Browse the repository at this point in the history 
Updates to Tari Vulnerability Disclosure Policy

Description
---
Adds one new example to Commonplace Reports, fixes a typo, and raises
the top bounty reward to $5000 USD to better align with other programs

Motivation and Context
---
Public and internal discussion in regard to top bounty and reports
received from Yat bounty program.

How Has This Been Tested?
---
n/a

What process can a PR reviewer use to test or verify this change?
---
n/a

<!-- Checklist -->
<!-- 1. Is the title of your PR in the form that would make nice release
notes? The title, excluding the conventional commit
tag, will be included exactly as is in the CHANGELOG, so please think
about it carefully. -->


Breaking Changes
---

- [x] None
- [ ] Requires data directory on base node to be deleted
- [ ] Requires hard fork
- [ ] Other - Please specify

<!-- Does this include a breaking change? If so, include this line as a
footer -->
<!-- BREAKING CHANGE: Description what the user should do, e.g. delete a
database, resync the chain -->
  • Loading branch information
@seandiggity
seandiggity authored May 3, 2023
1 parent 746238f commit c72de0a
Showing 1 changed file with 4 additions and 3 deletions.
7 changes: 4 additions & 3 deletions SECURITY.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ [email protected]
PGP fingerprint = 5410 7BD9 02F0 A865 3DDF F4CD 7A4A 432E C35C 9C7E
If pasting GPG encrypted data, use paste.debian.net or paste.ubuntu.com
as these do introduce issues with Tor via Cloudflare.
as these do not introduce issues with Tor via Cloudflare.
```

**You must include:**
Expand Down Expand Up @@ -130,7 +130,7 @@ The value of rewards paid out varies depending on severity and will be guided by

### Payment Amounts

* **Medium, Large, or Critical:** Between $120 to $2000 USD
* **Medium, Large, or Critical:** Between $120 to $5000 USD
* **Small:** Up to $100 USD

Please allow up to one week from the time the report was approved and validated to receive your bounty reward payment.
Expand All @@ -153,9 +153,10 @@ The following requirements must be adhered to in order to for any report to qual
In addition to the areas defined as [Out of Scope](#out-of-scope) in this policy, the following commonplace reports do not qualify for a bounty reward. Such issues may be disclosed as a [GitHub issue here](https://github.com/tari-project/tari/issues/new?assignees=&labels=bug-report&template=bug_report.md&title=%5BThanks%20for%20making%20Tari%20better%5D).

* Lack of a security feature that is not critical to the system's operation
* Configuration issues that are not relevant to the product/application
* Configuration issues that are not relevant to the network or application
* Application Denial of Service by locking user accounts
* Descriptive error messages or headers (e.g., stack traces, banner grabbing, debug information on a production site)
* Purely technical, public, and non-sensitive network, application, or API information unrelated to a specific exploit
* Disclosure of known public files or directories, (e.g., `robots.txt`)
* Outdated software/library versions
* Lack of security headers, such as the `X-Content-Type-Options` or `X-Frame-Options` headers
Expand Down

0 comments on commit c72de0a

Please sign in to comment.