Grin's vulnerability disclosure and security process

igno.peverell · September 10, 2018, 11:14pm

We published a first version of our vulnerability disclosure and security process:

mimblewimble/grin/blob/master/SECURITY.md

# Grin's Security Process

Grin has a [code of conduct](CODE_OF_CONDUCT.md) and the handling of vulnerability disclosure is no exception. We are committed to conduct our security process in a professional and civil manner. Public shaming, under-reporting or misrepresentation of vulnerabilities will not be tolerated.

## Responsible Disclosure

For all security related issues, Grin has two main points of contact:

* Daniel Lehnberg, daniel.lehnberg at protonmail.com
* Ignotus Peverell, igno.peverell at protonmail.net

Send all communications to both parties and expect a reply within 48h. Public keys can be found at the end of this document.

## Vulnerability Handling

Upon reception of a vulnerability disclosure, the Grin team will:

* Reply within a 48h window.
* Within a week, a [CVVS v3](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator) severity score should be attributed.
* Keep communicating regularly about the state of a fix, especially for High or Critical severity vulnerabilities.

This file has been truncated. show original

For all security researchers, your feedback on the policy and how we can improve it would be extremely valuable. Thanks in advance for any help! I’m hoping we can set a good example and influence other projects to adopt a similar policy.

P.S. Big thanks to Neha for her last post, it was timely and proved to be a very useful reference!

Topic		Replies	Views
Please help evaluate: Grin's security process Governance	12	1478	August 1, 2019
Grin Security Audit #2 Results Announcements	5	2124	November 9, 2019
Announcing the /grin-security repo Announcements	0	861	September 19, 2019
Help us design Grin's RFC process! Governance	5	885	June 29, 2019
Opinions regarding Grin Market	59	2805	August 9, 2019

Grin's vulnerability disclosure and security process

Related Topics