-
Notifications
You must be signed in to change notification settings - Fork 207
Runbook: Reporting a Security Bug
context: Runbooks
While building on the Agoric stack or operating a node on the Agoric network, it is inevitable that participants in the ecosystem will discover a bug or security vulnerability. The process outlined below supports coordinated vulnerability disclosure with bug reporters whose contributions improve the overall resiliency of the ecosystem.
-
Bugs in the Agoric SDK and can be reported to the Agoric HackerOne program, or security@agoric.com.
- Bugs submitted to H1 that are within the scope of the program will be eligible for reward. It may be necessary to create a HackerOne account to submit a bug report.
- Bug reporters who may not want to sign up for a H1 account can always directly contact Agoric’s code maintainers via security@agoric.com with an issue.
-
It is important to be able to provide steps that reproduce the issue and demonstrate its impact with a Proof of Concept example in an initial bug report. Before reporting a bug, a reporter may want to have another trusted individual or validator on the network reproduce the issue.
-
A bug reporter can expect acknowledgment of a potential vulnerability reported through security@agoric.com within 12 hours of submitting a report. If an acknowledgement of an issue is not received within this time frame, especially during a weekend or holiday period, please reach out again. Any issues reported to the HackerOne program will be acknowledged within the time frames posted on the program page.
- The bug triage team and Agoric code maintainers are primarily located in the San Francisco Bay Area with business hours in Pacific Time.
-
For the safety and security of the network, bug reporters should avoid publicly sharing the details of a security bug on Twitter, Discord, Telegram, or in public Github issues during the coordination process.
-
Once a vulnerability report has been received and triaged:
- Agoric code maintainers will confirm whether it is valid, and will provide updates to the reporter on validity of the report.
- It may take up to 72 hours for an issue to be validated, especially if reported during holidays or on weekends.
-
When the Agoric team has verified an issue, remediation steps and patch release timeline information will be shared with the reporter.
- Complexity, severity, impact, and likelihood of exploitation are all vital factors that determine the amount of time required to remediate an issue and distribute a software patch.
- If an issue is Critical or High Severity, Agoric code maintainers will release a security advisory to notify impacted parties to prepare for an emergency patch.
- While the current industry standard for vulnerability coordination resolution is 90 days, Agoric code maintainers will strive to release a patch as quickly as possible.
When a bug patch is included in a software release, the Agoric code maintainers will:
- Confirm the version and date of the software release with the reporter.
- Provide information about the security issue that the software release resolves.
- Credit the bug reporter for discovery by adding thanks in release notes, securing a CVE designation, or adding the researcher’s name to a Hall of Fame.
Discussion of this topic, including recommendations and edits, is located in Issue #4013.