Skip to content

Add SECURITY.md #6

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
haryunio merged 1 commit into from
Feb 14, 2025
Merged

Add SECURITY.md #6

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 38 additions & 0 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
# Firmachain bug reporting and feature requests

The Firmachain core development team uses GitHub to manage feature requests and bugs. This is done via GitHub Issues.

## Standard priority bug

For a bug that is non-sensitive and/or operational in nature rather than a critical vulnerability, please add it as a GitHub issue.

## Critical bug or security issue

If you're here because you're trying to figure out how to notify us of a security issue, alert the core engineers:

| Name | Email |
|-----|------|
| Niil | niil[at]kintsugi.tech |
| Luca | luca[at]kintsugi.tech |

Please avoid opening public issues on GitHub that contain information about a potential security vulnerability as this makes it difficult to reduce the impact and harm of valid security issues.

### Coordinated Vulnerability Disclosure Policy

We ask security researchers to keep vulnerabilities and communications around vulnerability submissions private and confidential until a patch is developed. In addition to this, we ask that you:

- Allow us a reasonable amount of time to correct or address security vulnerabilities.
- Avoid exploiting any vulnerabilities that you discover.
- Demonstrate good faith by not disrupting or degrading Firmachain’s network, data, or services.

### Vulnerability Disclosure Process

Firmachain uses the following disclosure process:

- Once a security report is received, the Firmachain core development team works to verify the issue.
- Patches are prepared for eligible releases in private repositories.
- We notify the community that a security release is coming, to give users time to prepare their systems for the update. Notifications can include Discord messages, tweets, and emails to partners and validators.
- Following this notification, the fixes are applied publicly and new releases are issued.
- Once releases are available for Firmachain, we notify the community, again, through the same channels as above.

This process can take some time. Every effort will be made to handle the bug in as timely a manner as possible. However, it's important that we follow the process described above to ensure that disclosures are handled consistently and to keep Firmachain and the projects running on it secure.
Loading