chore: update policy #23
Conversation
SECURITY.md
Outdated
| **Scope:** Core Cosmos Stack components, such as: Cosmos SDK, CometBFT consensus engine, IBC, Cosmos EVM and | ||
| other critical infrastructure | ||
|
|
||
| For full scope, severity definitions, and reward ranges, see the Cosmos | ||
| page on HackerOne. |
There was a problem hiding this comment.
Should probably just list out the exact scope here (instead of leaving it at 'other critical infra'), we also should link to the page on hacker one here.
SECURITY.md
Outdated
| | **Critical** | Bugs posing an existential or network-wide threat (chain halts, consensus failures, inflation, or theft). | Token creation beyond fixed supply, permanent fork bug. | | ||
| | **High** | Major disruption to many nodes or users, often remotely exploitable. | Remote crash or chain halt vulnerability. | | ||
| | **Medium** | Moderate impact or harder to exploit; may require specific configurations. | Slow block propagation, limited DoS. | | ||
| | **Low** | Minor impact or impractical exploitation. | Benign input causing small performance issue. | |
There was a problem hiding this comment.
need to expand on these further and be more specific in the definitions between critical and high. this is probably what security researchers care most about, and here critical and high sound very similar, feels like you could argue any high is a critical based on these defs.
SECURITY.md
Outdated
| ### Advance Notice | ||
|
|
||
| Before disclosing, Cosmos issues a **pre-announcement**, e.g.: | ||
|
|
||
| > "Upcoming security disclosure: vulnerabilities fixed in Cosmos SDK | ||
| > vX.Y.Z will be publicly disclosed on \[Date\]. Please ensure you have | ||
| > upgraded." | ||
| This alerts operators while maintaining security during the embargo. |
There was a problem hiding this comment.
i dont totally get this part, so we have silent releases, but also will announce that patch x.y.z has a security vulnerability in it that we are fixing and will announce what that is in a year? im assuming for a lot of these the security vuln will be the only thing in the patch if we are upgrading the previous release family, so then based on the commit message + this announcement it feels like it defeats the purpose of it being silent.
SECURITY.md
Outdated
| Cosmos adopts a **silent patch** approach. Vulnerabilities are fixed | ||
| quietly before disclosure. |
There was a problem hiding this comment.
Should mention that this is not for critical vulnerabilities. And also mention what we do in case of critical vulnerabilities
SECURITY.md
Outdated
|
|
||
| Cosmos adopts a **silent patch** approach. Vulnerabilities are fixed | ||
| quietly before disclosure. | ||
| This mirrors practices from projects like **Ethereum's Geth**, **Bitcoin |
There was a problem hiding this comment.
Might be good to include a link here to their policy. For ex, https://geth.ethereum.org/docs/developers/geth-developer/disclosures
SECURITY.md
Outdated
| Announcing vulnerabilities too early can endanger unpatched nodes. | ||
| Silent fixes allow time for safe upgrades before attackers become aware. |
There was a problem hiding this comment.
True, I'm curious if we can stick to this if we see a chain get attacked (and let's say get halted). So this doc should mention what we do in case we know that attackers have already become aware before a maintenance release. My guess would be that we treat is as critical, although it is not critical.
SECURITY.md
Outdated
| ### Disclosure Timeline | ||
|
|
There was a problem hiding this comment.
Duplicate
| ### Disclosure Timeline |
SECURITY.md
Outdated
| |------------------|----------------------------------------------------------------------------|-----------------------------------------------------------------------------------------| | ||
| | **Low / Medium** | ~4 weeks after public fix release | Publish full advisory with impact and fix details. | | ||
| | **High** | After the affected version reaches **End-of-Life (EOL)** (~1 year typical) | Delayed high-severity policy ensures attackers are not aware of exploits. | | ||
| | **Critical** | **Ad-hoc** (case-by-case) | Disclose only when safe; may delay or omit full details to prevent future exploitation. | |
There was a problem hiding this comment.
For this, we would need to patch everyone asap, right? So once that is done, I don't see why we can't wait until the EOL.
zchn
left a comment
zchn
left a comment
There was a problem hiding this comment.
Looks great to me. Only minor thoughts.
SECURITY.md
Outdated
|
|
||
| | **Level** | **Description** | **Examples** | | ||
| |--------------|-------------------------------------------------------------------------------------|---------------------------------------------------------| | ||
| | **Critical** | Network-wide or existential threats, including fund loss, inflation, or theft. | Unlimited token minting, permanent consensus failure. | |
There was a problem hiding this comment.
I'd only include permanent & irrecoverable loss of fund in critical, i.e. Description: "Permanent and irrecoverable loss of fund", Example: "Direct fund loss, unauthorized and unlimited token minting, irreversible theft of fund."
Any DoS issues including chain halt, temporary freeze of funds and recoverable fund loss should be a high only.
|
|
||
| ## Vulnerability Severity Levels | ||
|
|
||
| Reported vulnerabilities are assigned a severity classification that |
There was a problem hiding this comment.
What's the motivation of having both this table and the read world examples at https://github.com/cosmos/security/blob/1e9c361558608b4ac5468ffdfff89abd273249be/resources/CLASSIFICATION_MATRIX.md#real-world-examples? Feels like they serve the same purpose so we should probably merge them?
|
|
||
| ------------------------------------------------------------------------ | ||
|
|
||
| ## Silent Patch and Disclosure Process |
There was a problem hiding this comment.
I really like that we are not reinventing the wheel and reusing Eth/Btc/Zcash process as much as possible!
POLICY.md: Removed prior bug bounty, severity handling, and Patch Day process text; replaced with a single pointer directing readers toSECURITY.mdfor details.SECURITY.md:resources/CLASSIFICATION_MATRIX.md.