github.com/consensys/gnark-crypto@v0.14.0/SECURITY.md (about)

     1  # `gnark-crypto` Security Policy
     2  
     3  ## Overview
     4  
     5  This document explains the gnark team's process for handling issues reported and what to expect in return.
     6  
     7  ## Reporting a Security Bug
     8  
     9  All security bugs in gnark-crypto distribution should be reported by email to gnark@consensys.net.
    10  
    11  Your email will be acknowledged within 7 days, and you'll be kept up to date with the progress until resolution. Your issue will be fixed or made public within 90 days.
    12  
    13  If you have not received a reply to your email within 7 days, please follow up with the gnark team again at gnark@consensys.net. 
    14  
    15  Note that we do not currently run any bug bounty program.
    16  
    17  ## Tracks
    18  
    19  Depending on the nature of your issue, it will be categorized as an issue in the **PUBLIC**, **PRIVATE**, or **URGENT** track.
    20  
    21  ### PUBLIC
    22  
    23  Issues in the **PUBLIC** track affect niche configurations, have very limited impact, or are already widely known.
    24  
    25  **PUBLIC** track issues are fixed on the develop branch, and get backported to the next scheduled minor releases. The release announcement includes details of these issues, but there is no pre-announcement.
    26  
    27  ### PRIVATE
    28  
    29  Issues in the **PRIVATE** track are violations of committed security properties.
    30  
    31  **PRIVATE** track issues are fixed in the next scheduled minor releases , and are kept private until then.
    32  
    33  Three to seven days before the release, a pre-announcement is sent to [`gnark-announce`] and [@gnark_team], announcing the presence of a security fix in the upcoming releases, and which component in gnark is affected; compiler, constraint system or proof system (but not disclosing any more details).
    34  
    35  ### URGENT
    36  
    37  **URGENT** track issues are a threat to the gnark ecosystem's integrity, or are being actively exploited in the wild leading to severe damage.
    38  
    39  **URGENT** track issues are fixed in private, and trigger an immediate dedicated security release, possibly with no pre-announcement.
    40  
    41  ## Flagging Existing Issues as Security-related
    42  
    43  If you believe that an existing issue is security-related, we ask that you send an email to gnark@consensys.net. The email should include the issue ID and a short description of why it should be handled according to this security policy.
    44  
    45  ## Disclosure Process
    46  
    47  The gnark project uses the following disclosure process:
    48  
    49  * Once the security report is received it is assigned a primary handler. This person coordinates the fix and release process.
    50  * The issue is confirmed and a list of affected components is determined.
    51  * Code is audited to find any potential similar problems.
    52  * Fixes are prepared for the two most recent major releases and the head/master revision. Fixes are prepared for the two most recent major releases and merged to head/master.
    53  * On the date that the fixes are applied, announcements are sent to [`gnark-announce`] and [@gnark_team].
    54  
    55  This process can take some time, especially when coordination is required with maintainers of other projects. Every effort will be made to handle the bug in as timely a manner as possible, however it's important that we follow the process described above to ensure that disclosures are handled consistently.
    56  
    57  ## Receiving Security Updates
    58  
    59  The best way to receive security announcements is to subscribe to the [`gnark-announce`] mailing list. Any messages pertaining to a security issue will be prefixed with \[security\].
    60  
    61  [`gnark-announce`]: https://groups.google.com/g/gnark-announce
    62  [@gnark_team]: https://twitter.com/gnark_team