forked from cosmos/cosmos-sdk
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docs: align SECURITY.md for refresh (cosmos#17526)
- Loading branch information
Showing
1 changed file
with
11 additions
and
21 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -21,26 +21,17 @@ the vulnerability can be reproduced on either one of those. | |
|
|
||
| ## Reporting a Vulnerability | ||
|
|
||
| | Reporting methods | | ||
| |---------------------------------------------------------------| | ||
| | [GitHub Private Vulnerability Reporting][gh-private-advisory] | | ||
| | [HackerOne bug bounty program][h1] | | ||
|
|
||
| All security vulnerabilities can be reported under GitHub's [Private | ||
| vulnerability reporting][gh-private-advisory] system. This will open a private | ||
| issue for the developers. Try to fill in as much of the questions as possible. | ||
| If you are not familiar with the CVSS system for assessing vulnerabilities, just | ||
| use the Low/High/Critical severity ratings. A partially filled in report for a | ||
| critical vulnerability is still better than no report at all. | ||
|
|
||
| Vulnerabilities associated with the **Go, Rust or Protobuf code** of the | ||
| repository may be eligible for a [bug bounty][h1]. Please see the bug bounty | ||
| page for more details on submissions and rewards. If you think the vulnerability | ||
| is eligible for a payout, **report on HackerOne first**. | ||
|
|
||
| Vulnerabilities in services and their source codes (JavaScript, web page, Google | ||
| Workspace) are not in scope for the bug bounty program, but they are welcome to | ||
| be reported in GitHub. | ||
| | Reporting methods | Bounty eligible | | ||
| |---------------------------------------------------------------|-----------------| | ||
| | [HackerOne program][h1] | yes | | ||
| | [[email protected]](mailto:[email protected]) | no | | ||
|
|
||
| Issues identified in this repository may be eligible for a [bug bounty][h1]. For your report to be bounty | ||
| eligible it must be reported exclusively through the [HackerOne Bug Bounty][h1]. | ||
|
|
||
| If you do not wish to be eligible for a bounty or do not want to use the HackerOne platform to report an | ||
| issue, please send your report via email to [[email protected]](mailto:[email protected]) with | ||
| reproduction steps and details of the issue. | ||
|
|
||
| ### Guidelines | ||
|
|
||
|
|
@@ -72,7 +63,6 @@ If you follow these guidelines when reporting an issue to us, we commit to: | |
| * See [EXAMPLES.md] for some of the examples that we are interested in for the | ||
| bug bounty program. | ||
|
|
||
| [gh-private-advisory]: /../../security/advisories/new | ||
| [h1]: https://hackerone.com/cosmos | ||
| [TIMELINE.md]: https://github.com/cosmos/security/blob/main/TIMELINE.md | ||
| [DISCLOSURE.md]: https://github.com/cosmos/security/blob/main/DISCLOSURE.md | ||
|
|
||