first pass at security.md [SLT-250] #3205
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,30 @@ | ||||||||||||||||||||||||
| # Security Policy | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| ## Overview | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| The security of Synapse Protocol is paramount. To standardize and encourage the discovery of bugs, the following outlines how to report bugs found in Synapse Protocol, sanguine, or any related code base. The program enables community members to submit reports of "bugs" or vulnerabilities for a chance to earn rewards. The program aims to incentivise responsible disclosure and enhance the security of Synapse Protocol. | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| Bounties are allocated on an ad hoc basis, and depend on the legitimacy, risk level, and other variables. | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| ## Reporting a Vulnerability | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| All bug disclosures should be disclosed privately to a member of Synapse Labs. This can be done in the following ways: | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| 1. Open up a ticket in the Synapse Discord | ||||||||||||||||||||||||
| 2. Reach out to a core team member privately on Telegram | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
|
Comment on lines
+11
to
+15
There was a problem hiding this comment. Enhance the security reporting channels The current reporting channels (Discord and Telegram) may not provide adequate security for sensitive vulnerability reports. Consider:
Add these secure communication channels: All bug disclosures should be disclosed privately to a member of Synapse Labs. This can be done in the following ways:
1. Open up a ticket in the Synapse Discord
2. Reach out to a core team member privately on Telegram
+3. Send an encrypted email to [email protected] (PGP Key: <key-fingerprint>)
+
+For secure communications, our PGP public key can be found at: <key-url>
|
||||||||||||||||||||||||
| ## The Wrong Way to Disclose | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| Please exercise prudence when disclosing a bug. The following actions are the wrong way to disclose a bug: | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| - Filing a public ticket mentioning the vulnerability | ||||||||||||||||||||||||
| - Testing the vulnerability on mainnet or testnet | ||||||||||||||||||||||||
| - Sharing the bug on a public channel | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
|
Comment on lines
+18
to
+23
There was a problem hiding this comment. 🛠️ Refactor suggestion Add responsible disclosure timeline and expectations While the prohibited actions are clear, the section would benefit from including:
Add this section after line 23: ## Disclosure Timeline
- Initial Response: Within 24-48 hours
- Assessment: 3-5 business days
- Fix Development: Based on severity
- Critical: Up to 30 days
- High: Up to 60 days
- Medium/Low: Up to 90 days
- Coordinated Public Disclosure: After fix deployment and testing |
||||||||||||||||||||||||
| ## Other Vulnerabilities | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| For vulnerabilities in any of our websites, email servers, or other non-critical infrastructure, please reach out through one of the channels above. We and Labs appreciate detailed instructions outlining the vulnerability. | ||||||||||||||||||||||||
|
Comment on lines
+24
to
+26
There was a problem hiding this comment. Revise the non-critical vulnerabilities section The section needs improvement in both content and grammar:
Apply this correction: -For vulnerabilities in any of our websites, email servers, or other non-critical infrastructure, please reach out through one of the channels above. We and Labs appreciate detailed instructions outlining the vulnerability.
+For vulnerabilities in any of our websites, email servers, or other non-critical infrastructure, please email [email protected]. Synapse Labs appreciates detailed instructions outlining the vulnerability. Please include:
+
+- Description of the vulnerability
+- Steps to reproduce
+- Potential impact
+- Suggested remediation (if any)📝 Committable suggestion
Suggested change
|
||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| ## Other Terms | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| The decisions made regarding rewards are final and binding. By submitting your report, you grant Synapse Labs any and all rights, including without limitation intellectual property rights, needed to validate, mitigate, and disclose the vulnerability. All reward decisions, including eligibility for and amounts of the rewards and how such rewards will be paid, are made at the sole discretion of Synapse Labs. Terms and conditions of the Program may be altered at any time. Synapse Labs may change or cancel this Program at any time, for any reason. | ||||||||||||||||||||||||
|
There was a problem hiding this comment. 🛠️ Refactor suggestion Consider restructuring the Other Terms section for clarity. While the terms covered in this section are comprehensive, the dense paragraph structure might make it difficult for readers to quickly grasp all the important points. Consider breaking this into bullet points or shorter paragraphs for improved readability. Here's a suggested restructure: ## Other Terms
- All reward decisions, including eligibility, amounts, and payment methods, are made at the sole discretion of Synapse Labs. These decisions are final and binding.
- By submitting your report, you grant Synapse Labs all rights, including intellectual property rights, needed to validate, mitigate, and disclose the vulnerability.
- Synapse Labs reserves the right to alter the terms and conditions of the Program at any time.
- Synapse Labs may change or cancel this Program at any time, for any reason.🧰 Tools🪛 LanguageTool
|
||||||||||||||||||||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🛠️ Refactor suggestion
Consider providing more details about the bounty program.
The overview effectively introduces the security policy. However, the statement about bounty allocation (line 7) is quite vague. To encourage participation, consider providing more specific information about the bounty program, such as potential reward ranges or factors that influence the reward amount.
You could add a sentence like:
+Rewards typically range from $X to $Y, depending on the severity and impact of the reported vulnerability.