From a7c4d7ccd6bb46ade39df7480dc865ff4f77ce11 Mon Sep 17 00:00:00 2001 From: Kenny P <17100641+kpeluso@users.noreply.github.com> Date: Mon, 8 Jul 2024 00:41:57 -0400 Subject: [PATCH] Create SECURITY.md (#137) add security.md --------- Signed-off-by: Kenny P <17100641+kpeluso@users.noreply.github.com> --- .github/pull_request_template.md | 45 ++++++++++++++++++++ SECURITY.md | 72 ++++++++++++++++++++++++++++++++ 2 files changed, 117 insertions(+) create mode 100644 .github/pull_request_template.md create mode 100644 SECURITY.md diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 0000000..bd768aa --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,45 @@ + + +Closes: #XXX + +## What is the purpose of the change + +> Add a description of the overall background and high level changes that this PR introduces + +*(E.g.: This pull request improves documentation of area A by adding ....)* + +## Testing and Verifying + +*(Please pick one of the following options)* + +This change is a trivial rework / code cleanup without any test coverage. + +*(or)* + +This change is already covered by existing tests, such as *(please describe tests)*. + +*(or)* + +This change added tests and can be verified as follows: + +*(example:)* + - *Added unit test that validates ...* + - *Added integration tests for end-to-end deployment with ...* + - *Extended integration test for ...* + - *Manually verified the change by ...* + +## Documentation and Release Note + + - [ ] Does this pull request introduce a new feature or user-facing behavior changes? + + +Where is the change documented? + - [ ] Specification (`x/{module}/README.md`) + - [ ] Allora documentation site `docs.allora.network` source code at: `https://github.com/allora-network/docs` + - [ ] Code comments? + - [ ] N/A diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..7a4c949 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,72 @@ +# Security Policy + +## Introduction + +Security researchers are essential in identifying vulnerabilities that may impact the Allora ecosystem. If you have discovered a security vulnerability in the Allora chain or any repository managed by Allora, we encourage you to notify us using one of the methods outlined below. + +### Guidelines for Responsible Vulnerability Testing and Reporting + +1. **Refrain from testing vulnerabilities on our publicly accessible environments**, including but not limited to: + - Allora mainnet + - any Allora-affiliated frontends e.g. allora.network, alloralabs.xyz + - Allora public testnets + - Allora testnet frontend + +2. **Avoid reporting security vulnerabilities through public channels, including GitHub issues** + +## Reporting Security Issues + +To privately report a security vulnerability, please choose one of the following options: + +### 1. Email + +Send your detailed vulnerability report to `security@alloralabs.xyz`. + +### 2. GitHub Private Vulnerability Reporting + +Utilize [GitHub's Private Vulnerability Reporting](https://github.com/allora-network/allora-chain/security/advisories/new) for confidential disclosure. + +## Submit Vulnerability Report + +When reporting a vulnerability through either method, please include the following details to aid in our assessment: + +- Type of vulnerability +- Description of the vulnerability +- Steps to reproduce the issue +- Impact of the issue +- Explanation of how an attacker could exploit it + +## Vulnerability Disclosure Process + +1. **Initial Report**: Submit the vulnerability via one of the above channels. +2. **Confirmation**: We will confirm receipt of your report within 48 hours. +3. **Assessment**: Our security team will evaluate the vulnerability and inform you of its severity and the estimated time frame for resolution. +4. **Resolution**: Once fixed, you will be contacted to verify the solution. +5. **Public Disclosure**: Details of the vulnerability may be publicly disclosed after ensuring it poses no further risk. + +During the vulnerability disclosure process, we ask security researchers to keep vulnerabilities and communications around vulnerability submissions private and confidential until a patch is developed. Should a security issue require a network upgrade, additional time may be needed to raise a governance proposal and complete the upgrade. + +During this time: + +- Avoid exploiting any vulnerabilities you discover. +- Demonstrate good faith by not disrupting or degrading Allora's services. + +## Severity Characterization + +| Severity | Description | +| ------------ | ----------------------------------------------------------------------- | +| **CRITICAL** | Immediate threat to critical systems (e.g., chain halts, funds at risk) | +| **HIGH** | Significant impact on major functionality | +| **MEDIUM** | Impacts minor features or exposes non-sensitive data | +| **LOW** | Minimal impact | + +## Bug Bounty + +Though we don't have an official bug bounty program, we generally offer rewards to security researchers who responsibly disclose vulnerabilities to us. Bounties are generally awarded for vulnerabilities classified as **high** or **critical** severity. Bounty amounts will be determined during the disclosure process, after the severity has been assessed. Please note that in order to collect a bounty, the reporter must go through a KYC process. + +> [!WARNING] +> Targeting our production environments will disqualify you from receiving any bounty. + +## Feedback on this Policy + +For recommendations on how to improve this policy, either submit a pull request or send an email to `security@alloralabs.xyz`.