-
Notifications
You must be signed in to change notification settings - Fork 411
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add SECURITY.md #303
Comments
The big open question is a secure manner to submit critical bugs. I will do some research to see what people are using:
Some other large projects don't even seem to have a clearly visible SECURITY.md file. Such as Avalanche, and Tezos |
Given the above research, I see two reasonable approaches (we can do one or both):
Shall we start with an email address, add a GPG key later, and check out how much it costs to run a Hacker One bug bounty (maybe co-financed by multiple projects using CosmWasm)? |
We have security@confio.gmbh set up. Let's just make a simple SECURITY.md file based on one of the projects linked above to accept unencrypted emails for now. We can add the GPG key as well as a possible hacker one bug bounty link in the future. I see major projects using similarly insecure reporting methods, so I would not block our 0.18.0 on a better approach (but happy to use a better one in the future) |
Containing:
The text was updated successfully, but these errors were encountered: