cosmos · aljo242 · Oct 17, 2025 · Oct 20, 2025 · mattac21 · Oct 23, 2025
diff --git a/POLICY.md b/POLICY.md
@@ -60,23 +60,4 @@ Upon introduction of this family, support for the older *(0.50.x / IBC v8.x)* fa
 
 ## Security Fix Process
 
-Cosmos Labs operates a bug bounty program on [HackerOne](https://www.hackerone.com/). We encourage responsible disclosure of vulnerabilities within the supported release families.
-
-For bugs in working branches or in future releases, we encourage developers to share as early and often as possible so we can build a safer, more secure Stack.
-
-The security fix process is being refined to provide better and more predictable service to developers and users. Changes are being introduced to improve transparency and response times across different issue severities:
-
-- **Low and Medium severity:** Fixes will be developed publicly and included in a scheduled Patch Day release.
-- **High severity:** Fixes will be developed privately and included in a scheduled Patch Day release.
-- **Critical severity (e.g., fund loss):** Fixes will be developed privately and deployed immediately, outside the Patch Day cycle.
-
----
-
-## Patch Day
-
-**Patch Day** is a scheduled release event for security and stability fixes.
-
-- Occurs on the **second Tuesday of each month**.
-- A **5-day advance notice** will be provided detailing the packages affected and the nature of the fixes.
-
-This ensures stakeholders can prepare, test, and deploy updates in a timely manner.
+Please read our [security policy](./SECURITY.md) for a detailed breakdown of how bugs and vulnerabilities are to be handled for the Cosmos Stack.
diff --git a/SECURITY.md b/SECURITY.md
@@ -1,8 +1,146 @@
-# Security Policy
+# Cosmos Security Vulnerability Disclosure and Bug Bounty Policy
 
-As part of our coordinated vulnerability dislcosure policy, we offer a Safe Harbor to all security researchers who work with us in good faith. 
-Please visit our Bug Bounty program at [https://hackerone.com/cosmos](https://hackerone.com/cosmos) to learn more, and to report any Security issues you may discover in the Cosmos Stack.
+## Introduction
 
-Additionally, the @security alias at [email protected] is continuously monitored for security coordination. 
-If you are unable to utilize the HackerOne program link above, non-bounty submissions may be sent to [[email protected]](mailto:[email protected])
+Cosmos Labs is committed to the security of the Cosmos Stack and
+encourages responsible disclosure of vulnerabilities. We operate a bug
+bounty program to reward security researchers for discovering and
+reporting issues.
+This policy outlines how to report vulnerabilities, how our bug bounty
+program works, and our approach to patching and disclosing security
+issues.
 
+------------------------------------------------------------------------
+
+## Reporting a Vulnerability
+
+**Private Disclosure:**
+If you discover a potential security vulnerability in Cosmos (e.g.,
+Cosmos SDK, CometBFT, IBC, or related core components), report it
+privately through our official channels.
+
+-   **Preferred method:** Report via the [Cosmos HackerOne Bug Bounty
+    Program](https://hackerone.com/cosmos).
+-   If unable to use HackerOne, you may email: `[email protected]`
+    with the vulnerability details (steps to reproduce, impact, etc.).
+
+> Issues reported via email are *ineligible* for bounty rewards --- only reports through HackerOne qualify.
+
+When reporting, **do not publicize the issue** (e.g., no public GitHub
+issues or social posts) until we have addressed it and granted
+permission to disclose.
+We may coordinate with you on a public disclosure timeline.
+
+By reporting to us, you agree to **participate in coordinated
+vulnerability disclosure**, allowing us time to develop and
+distribute a fix before details are made public.
+
+------------------------------------------------------------------------
+
+## Bug Bounty Program Overview
+
+Our bug bounty program rewards valid security bug reports submitted
+through **HackerOne**, where bounty amounts depend on severity and
+impact.
+
+**Scope:** Core Cosmos Stack components, such as: Cosmos SDK, CometBFT consensus engine, IBC, Cosmos EVM and
+other critical infrastructure
+
+For full scope, severity definitions, and reward ranges, see the Cosmos
+page on HackerOne.
+
+We follow a **Safe Harbor** policy to protect researchers acting in good
+faith. The official HackerOne page contains the **Coordinated
+Vulnerability Disclosure Policy** and **Safe Harbor terms**.
+> In case of discrepancies, the HackerOne policy supersedes other
+documents.
+
+------------------------------------------------------------------------
+
+## Vulnerability Severity Levels
+
+All reported vulnerabilities are assigned a severity category guiding how they are handled and disclosed.
+
+| **Level**    | **Description**                                                                                           | **Examples**                                            |
+|--------------|-----------------------------------------------------------------------------------------------------------|---------------------------------------------------------|
+| **Critical** | Bugs posing an existential or network-wide threat (chain halts, consensus failures, inflation, or theft). | Token creation beyond fixed supply, permanent fork bug. |
+| **High**     | Major disruption to many nodes or users, often remotely exploitable.                                      | Remote crash or chain halt vulnerability.               |
+| **Medium**   | Moderate impact or harder to exploit; may require specific configurations.                                | Slow block propagation, limited DoS.                    |
+| **Low**      | Minor impact or impractical exploitation.                                                                 | Benign input causing small performance issue.           |
+
+These levels align with common security practices and determine both
+urgency and disclosure timelines.
+
+------------------------------------------------------------------------
+
+## Silent Patch and Disclosure Process
+
+Cosmos will adopt a **silent patch** approach. Vulnerabilities are fixed
+quietly before disclosure.
+This mirrors practices from projects like **Ethereum's Geth**, **Bitcoin
+Core**, and **Zcash**.
+
+**Why:**
+Announcing vulnerabilities too early can endanger unpatched nodes.
+Silent fixes allow time for safe upgrades before attackers become aware.
+
+### Fix Distribution
+
+-   Fixes are incorporated into new or patch releases.
+-   Release notes may **not** mention the security nature of the fix.
+-   Validators and node operators are **privately encouraged** to
+    upgrade.
+-   For critical issues, patches may be **privately distributed** to key
+    operators or trigger **emergency upgrades**.
+
+### Disclosure Timeline
+
+
+### Disclosure Timeline
+
+| **Severity**     | **Disclosure Timing**                                                      | **Details**                                                                             |
+|------------------|----------------------------------------------------------------------------|-----------------------------------------------------------------------------------------|
+| **Low / Medium** | ~4 weeks after public fix release                                          | Publish full advisory with impact and fix details.                                      |
+| **High**         | After the affected version reaches **End-of-Life (EOL)** (~1 year typical) | Mirrors Bitcoin Core's delayed high-severity policy.                                    |
+| **Critical**     | **Ad-hoc** (case-by-case)                                                  | Disclose only when safe; may delay or omit full details to prevent future exploitation. |
+
+  ------------------------------------------------------------------------
+
+### Advance Notice
+
+Before disclosing, Cosmos issues a **pre-announcement**, e.g.:
+
+> "Upcoming security disclosure: vulnerabilities fixed in Cosmos SDK
+> vX.Y.Z will be publicly disclosed on \[Date\]. Please ensure you have
+> upgraded."
+
+This alerts operators while maintaining security during the embargo.
+
+------------------------------------------------------------------------
+
+## Transparency and Post-Disclosure
+
+Once the embargo period expires, a **Security Advisory** is published
+(via GitHub advisories or blog), detailing: - Vulnerability
+description - Affected versions - Severity - Fix steps - Reporter credit
+(unless anonymity requested)
+
+Historical advisories remain publicly available.
+This **delayed transparency model** balances immediate safety with
+long-term openness and trust.
+
+------------------------------------------------------------------------
+
+Cosmos Labs deeply appreciates the work of white-hat hackers and auditors
+whose contributions strengthen the Cosmos ecosystem.
+
+------------------------------------------------------------------------
+
+### References
+
+-   [Bitcoin Core Security
+    Advisories](https://bitcoincore.org/en/security-advisories/)
+-   [Go Ethereum Vulnerability
+    Disclosure](https://ethereumpow.github.io/go-ethereum/docs/vulnerabilities/vulnerabilities)
+-   [Bitcoin Core Security Disclosure Policy
+    Announcement](https://bitexes.com/blog/124272)