Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: update security policy #2205

Merged
merged 1 commit into from
Nov 6, 2024
Merged

chore: update security policy #2205

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 9 additions & 8 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Security Policy
# Security Policy

## Introduction

Expand All @@ -7,10 +7,11 @@ Security researchers are essential in identifying vulnerabilities that may impac
### Guidelines for Responsible Vulnerability Testing and Reporting

1. **Refrain from testing vulnerabilities on our publicly accessible environments**, including but not limited to:
- Axelar mainnet
- Axelar Frontend Apps e.g satellite.money
- Axelar Testnet
- Axelar Testnet Frontend Apps e.g testnet.satellite.money

- Axelar mainnet
- Axelar Powered Frontend Apps e.g satellite.money, Squid etc.
- Axelar Testnet
- Axelar Testnet Powered Frontend Apps e.g testnet.satellite.money

2. **Avoid reporting security vulnerabilities through public channels, including GitHub issues**

Expand All @@ -20,7 +21,7 @@ To privately report a security vulnerability, please choose one of the following

### 1. Email

Send your detailed vulnerability report to `security@axelar.network`.
Send your detailed vulnerability report to `security@interoplabs.io`.

### 2. Bug Bounty Program

Expand All @@ -45,7 +46,7 @@ When reporting a vulnerability through either method, please include the followi
2. **Confirmation**: We will confirm receipt of your report within 48 hours.
3. **Assessment**: Our security team will evaluate the vulnerability and inform you of its severity and the estimated time frame for resolution.
4. **Resolution**: Once fixed, you will be contacted to verify the solution.
5. **Public Disclosure**: Details of the vulnerability may be publicly disclosed after ensuring it poses no further risk.
5. **Public Disclosure**: Details of the vulnerability may be publicly disclosed after approval from the team, ensuring it poses no further risk.

During the vulnerability disclosure process, we ask security researchers to keep vulnerabilities and communications around vulnerability submissions private and confidential until a patch is developed. Should a security issue require a network upgrade, additional time may be needed to raise a governance proposal and complete the upgrade.

Expand All @@ -58,7 +59,7 @@ During this time:

| Severity | Description |
|--------------|-------------------------------------------------------------------------|
| **CRITICAL** | Immediate threat to critical systems (e.g., chain halts, funds at risk) |
| **CRITICAL** | Immediate threat to critical systems (e.g. funds at risk) |
| **HIGH** | Significant impact on major functionality |
| **MEDIUM** | Impacts minor features or exposes non-sensitive data |
| **LOW** | Minimal impact |
Expand Down
Loading