-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
0a94d73
commit a6eef88
Showing
1 changed file
with
49 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| # Terp-Core Security Policy | ||
|
|
||
| This document describes the Terp Network Security team's process for handling security issues. | ||
|
|
||
| ## Reporting Security Issues | ||
|
|
||
| __IMPORTANT:__ _Please DO NOT open public issues for security related matters, or discuss it in public forum or on social media._ | ||
|
|
||
|
|
||
| All security issues should be reported via email to [terp.network@skiff.com](mailto:terp.network@skiff.com). Email is delivered to the Terp Network Foundation DAO. | ||
|
|
||
| Include the following details in the report: | ||
|
|
||
| - Your name; | ||
| - Your affiliation (if applicable); | ||
| - Technical description of the issue, including steps to reproduce; | ||
| - Explanation of who may be able to exploit this vulnerability and what the impact or implications may be; | ||
| - Whether this vulnerability is public or known to third parties. Please provide details where applicable; | ||
|
|
||
| _Please notify the Terp Network Security team at the email above of existing public issues that may be of critical security importance._ Please ensure to include the issue ID along with a short description / explanation of the security relevance. | ||
|
|
||
| ### GitHub Private Vulnerability Reporting | ||
|
|
||
| Under the repository "Security" tab / Security Advisories you will find "Report a vulnerability". Please complete the provided form with as much details as possible. | ||
|
|
||
| For more information on GitHub private vulnerability reporting [see this](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability). | ||
|
|
||
| _Best practices for writing repository security advisories_ can be found [here](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/best-practices-for-writing-repository-security-advisories). | ||
|
|
||
| Security researchers can also use the REST API to privately report security vulnerabilities. For more information, see "[Privately report a security vulnerability](https://docs.github.com/en/rest/security-advisories/repository-advisories#privately-report-a-security-vulnerability)" in the REST API documentation. | ||
|
|
||
| ## Handling Security Issues | ||
|
|
||
| The Terp Network Security team will: | ||
|
|
||
| 1. Verify and confirm the issue; | ||
| 2. Determine affected versions and scope of impact; | ||
| 3. Conduct audits to find any potential similar and related issues; | ||
| 4. Prepare fixes for relevant in-production releases; | ||
| 5. Endeavor to communicate and coordinate with relevant ecosystem stakeholders, including the Terp Network communities, at the appropriate times; | ||
|
|
||
| Please assist the Terp Network Security team by following these guidelines: | ||
|
|
||
| - Allow a reasonable amount of time for the team to respond to and address the issue; | ||
| - Avoid exploiting any issues or vulnerabilities that you may become aware of; | ||
| - Demonstrate good faith by not disrupting the Terp Network's networks, data, services or communities; | ||
|
|
||
| _Every effort will be made to handle and address security issues as quickly and efficiently as possible._ |