chore: update policy #23
Conversation
| **Scope:** Core Cosmos Stack components, such as: Cosmos SDK, CometBFT consensus engine, IBC, Cosmos EVM and | ||
| other critical infrastructure | ||
|
|
||
| For full scope, severity definitions, and reward ranges, see the Cosmos | ||
| page on HackerOne. |
There was a problem hiding this comment.
Should probably just list out the exact scope here (instead of leaving it at 'other critical infra'), we also should link to the page on hacker one here.
| | **Critical** | Bugs posing an existential or network-wide threat (chain halts, consensus failures, inflation, or theft). | Token creation beyond fixed supply, permanent fork bug. | | ||
| | **High** | Major disruption to many nodes or users, often remotely exploitable. | Remote crash or chain halt vulnerability. | | ||
| | **Medium** | Moderate impact or harder to exploit; may require specific configurations. | Slow block propagation, limited DoS. | | ||
| | **Low** | Minor impact or impractical exploitation. | Benign input causing small performance issue. | |
There was a problem hiding this comment.
need to expand on these further and be more specific in the definitions between critical and high. this is probably what security researchers care most about, and here critical and high sound very similar, feels like you could argue any high is a critical based on these defs.
| ### Advance Notice | ||
|
|
||
| Before disclosing, Cosmos issues a **pre-announcement**, e.g.: | ||
|
|
||
| > "Upcoming security disclosure: vulnerabilities fixed in Cosmos SDK | ||
| > vX.Y.Z will be publicly disclosed on \[Date\]. Please ensure you have | ||
| > upgraded." | ||
| This alerts operators while maintaining security during the embargo. |
There was a problem hiding this comment.
i dont totally get this part, so we have silent releases, but also will announce that patch x.y.z has a security vulnerability in it that we are fixing and will announce what that is in a year? im assuming for a lot of these the security vuln will be the only thing in the patch if we are upgrading the previous release family, so then based on the commit message + this announcement it feels like it defeats the purpose of it being silent.
2 participants
No description provided.