github.com/cosmos/cosmos-sdk@v0.50.10/SECURITY.md (about) 1 # Coordinated Vulnerability Disclosure Policy 2 3 The Cosmos ecosystem believes that strong security is a blend of highly 4 technical security researchers who care about security and the forward 5 progression of the ecosystem and the attentiveness and openness of Cosmos core 6 contributors to help continually secure our operations. 7 8 > **IMPORTANT**: *DO NOT* open public issues on this repository for security 9 > vulnerabilities. 10 11 ## Scope 12 13 | Scope | 14 |-----------------------| 15 | last release (tagged) | 16 | main branch | 17 18 The latest **release tag** of this repository is supported for security updates 19 as well as the **main** branch. Security vulnerabilities should be reported if 20 the vulnerability can be reproduced on either one of those. 21 22 ## Reporting a Vulnerability 23 24 | Reporting methods | 25 |---------------------------------------------------------------| 26 | [GitHub Private Vulnerability Reporting][gh-private-advisory] | 27 | [HackerOne bug bounty program][h1] | 28 29 All security vulnerabilities can be reported under GitHub's [Private 30 vulnerability reporting][gh-private-advisory] system. This will open a private 31 issue for the developers. Try to fill in as much of the questions as possible. 32 If you are not familiar with the CVSS system for assessing vulnerabilities, just 33 use the Low/High/Critical severity ratings. A partially filled in report for a 34 critical vulnerability is still better than no report at all. 35 36 Vulnerabilities associated with the **Go, Rust or Protobuf code** of the 37 repository may be eligible for a [bug bounty][h1]. Please see the bug bounty 38 page for more details on submissions and rewards. If you think the vulnerability 39 is eligible for a payout, **report on HackerOne first**. 40 41 Vulnerabilities in services and their source codes (JavaScript, web page, Google 42 Workspace) are not in scope for the bug bounty program, but they are welcome to 43 be reported in GitHub. 44 45 ### Guidelines 46 47 We require that all researchers: 48 49 * Abide by this policy to disclose vulnerabilities, and avoid posting 50 vulnerability information in public places, including GitHub, Discord, 51 Telegram, and Twitter. 52 * Make every effort to avoid privacy violations, degradation of user experience, 53 disruption to production systems (including but not limited to the Cosmos 54 Hub), and destruction of data. 55 * Keep any information about vulnerabilities that you’ve discovered confidential 56 between yourself and the Cosmos engineering team until the issue has been 57 resolved and disclosed. 58 * Avoid posting personally identifiable information, privately or publicly. 59 60 If you follow these guidelines when reporting an issue to us, we commit to: 61 62 * Not pursue or support any legal action related to your research on this 63 vulnerability 64 * Work with you to understand, resolve and ultimately disclose the issue in a 65 timely fashion 66 67 ### More information 68 69 * See [TIMELINE.md] for an example timeline of a disclosure. 70 * See [DISCLOSURE.md] to see more into the inner workings of the disclosure 71 process. 72 * See [EXAMPLES.md] for some of the examples that we are interested in for the 73 bug bounty program. 74 75 [gh-private-advisory]: /../../security/advisories/new 76 [h1]: https://hackerone.com/cosmos 77 [TIMELINE.md]: https://github.com/cosmos/security/blob/main/TIMELINE.md 78 [DISCLOSURE.md]: https://github.com/cosmos/security/blob/main/DISCLOSURE.md 79 [EXAMPLES.md]: https://github.com/cosmos/security/blob/main/EXAMPLES.md