Skip to content

Latest commit

 

History

History
39 lines (26 loc) · 2.38 KB

SECURITY.md

File metadata and controls

39 lines (26 loc) · 2.38 KB

Security Policy

Supported Versions

Only the latest Creditcoin node version will receive patches for known vulnerabilities.

Reporting a Security Concern

DO NOT CREATE AN ISSUE to report a security problem.

Go to https://github.com/gluwa/creditcoin/security/advisories/new and open a vulnerability report. Send an email to [email protected] and provide your GitHub username. The team will triage the issue from there.

For security reasons, DO NOT include attachments or provide detail sufficient for exploitation regarding the security issue in this email. Instead, wait for the advisory to be created, and provide any sensitive details in the private GitHub advisory.

If you haven't done so already, please enable two-factor authentication in your GitHub account.

Send the email from an email domain that is less likely to get flagged for spam by Gmail.

This is an actively monitored account, and the team will quickly respond.

If you do not receive a response within 24 hours, please directly follow up with the team in Discord by reaching out to anyone with the role “Creditcoin Team”.

As above, please DO NOT include attachments or provide detail regarding the security issue in this email.

Incident Response Process

  1. Establish a new draft security advisory
    1. In response to an email to [email protected], a member of the Creditcoin team will create a new draft security advisory for the incident at https://github.com/gluwa/creditcoin/security/advisories.
    2. Add the reporter's GitHub account and relevant individuals to the draft security advisory.
    3. Respond to the reporter by email, sharing a link to the draft security advisory.
  2. Reporter should add appropriate content to the draft security advisory to help the team resolve the issue. This includes:
    1. A clear description of the issue and the impacted areas.
    2. The code and the methodology to reproduce the underlying issue.
    3. Discussion of potential remediations.
  3. Triage
    1. Validate the issue.
    2. Determine the criticality of the issue.
    3. If this is a bug and not a security issue, recommend to the submitter to create an issue.
  4. Release a new version resolving the issue