The current master
and release-pismo
branches are supported with security updates.
At Agoric, we believe that strong security requires strong collaboration with security researchers. If you believe that you have found a security bug in our code, we encourage you to report it. To report a bug, you can:
-
Submit a report to the Agoric HackerOne vulnerability rewards program, where it may be eligible for a reward.
-
Send an email to security@agoric.com.
-
It is important to be able to provide steps that reproduce the issue and demonstrate its impact with a Proof of Concept example in an initial bug report. Before reporting a bug, a reporter may want to have another trusted individual reproduce the issue.
-
A bug reporter can expect acknowledgment of a potential vulnerability reported through security@agoric.com within one business day of submitting a report. If an acknowledgement of an issue is not received within this time frame, especially during a weekend or holiday period, please reach out again. Any issues reported to the HackerOne program will be acknowledged within the time frames posted on the program page.
- The bug triage team and Agoric code maintainers are primarily located in the San Francisco Bay Area with business hours in Pacific Time .
-
For the safety and security of those who depend on the code, bug reporters should avoid publicly sharing the details of a security bug on Twitter, Discord, Telegram, or in public Github issues during the coordination process.
-
Once a vulnerability report has been received and triaged:
- Agoric code maintainers will confirm whether it is valid, and will provide updates to the reporter on validity of the report.
- It may take up to 72 hours for an issue to be validated, especially if reported during holidays or on weekends.
-
When the Agoric team has verified an issue, remediation steps and patch release timeline information will be shared with the reporter.
- Complexity, severity, impact, and likelihood of exploitation are all vital factors that determine the amount of time required to remediate an issue and distribute a software patch.
- If an issue is Critical or High Severity, Agoric code maintainers will release a security advisory to notify impacted parties to prepare for an emergency patch.
- While the current industry standard for vulnerability coordination resolution is 90 days, Agoric code maintainers will strive to release a patch as quickly as possible.
When a bug patch is included in a software release, the Agoric code maintainers will: * Confirm the version and date of the software release with the reporter. * Provide information about the security issue that the software release resolves. * Credit the bug reporter for discovery by adding thanks in release notes, securing a CVE designation, or adding the researcher’s name to a Hall of Fame.