Skip to content

Runbook: Reporting a Security Bug

Jessy Irwin edited this page Oct 29, 2021 · 7 revisions

While building on the Agoric stack or operating a node on the Agoric network, it is inevitable that participants in the ecosystem will discover a bug or security vulnerability. The process outlined below supports coordinated vulnerability disclosure with bug reporters whose contributions improve the overall resiliency of the ecosystem.

  • Bugs in the Agoric SDK and can be reported to the Agoric HackerOne program (https://hackerone.com/agoric?type=team), or [email protected].

    • Bugs submitted to H1 that are within the scope of the program will be eligible for reward. It may be necessary to create a HackerOne account to submit a bug report.
    • Bug reporters who may not want to sign up for a H1 account can always directly contact Agoric’s code maintainers via [email protected] with an issue. [Do we have to do PGP?]
  • It is important to be able to provide steps that reproduce the issue and demonstrate its impact with a Proof of Concept example in an initial bug report. Before reporting a bug, a reporter may want to have another trusted individual or validator on the network reproduce the issue.

  • A bug reporter can expect acknowledgment of a potential vulnerability reported through HackerOne or [email protected] within 12 hours of submitting a report. If an acknowledgement of an issue is not received within this time frame, especially during a weekend or holiday period, please reach out again.

    • The bug triage team and Agoric code maintainers are primarily located in the San Francisco Bay Area with business hours in PST.
  • For the safety and security of the network, bug reporters should avoid publicly sharing the details of a security bug on Twitter, Discord, Telegram, or in public Github issues during the coordination process.

  • Once a vulnerability report has been received and triaged:

    • Agoric code maintainers will confirm whether it is valid, and will provide updates to the reporter on validity of the report.
    • It may take up to 72 hours for an issue to be validated, especially if reported during holidays or on weekends.
  • When the Agoric team has verified an issue, remediation steps and patch release timeline information will be shared with the reporter.

    • Complexity, severity, impact, and likelihood of exploitation are all vital factors that determine the amount of time required to remediate an issue and distribute a software patch.
    • If an issue is Critical or High Severity, Agoric code maintainers will release a security advisory to notify impacted parties to prepare for an emergency patch.
    • While the current industry standard for vulnerability coordination resolution is 90 days, Agoric code maintainers will strive to release a patch as quickly as possible.

When a bug patch is included in a software release, the Agoric code maintainers will:

  • Confirm the version and date of the software release with the reporter.
  • Provide information about the security issue that the software release resolves.
  • Credit the bug reporter for discovery by adding thanks in release notes, securing a CVE designation, or adding the researcher’s name to a Hall of Fame.

Discussion of this topic, including recommendations and edits, is located in Issue #4013.

Clone this wiki locally