You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is a review of language on the security policy taking into account the given feedback to funnel all bugs through the Immunefi program. Please check if everything is correct.
Copy file name to clipboardExpand all lines: SECURITY.md
+3-9Lines changed: 3 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -17,6 +17,8 @@ Websites and Applications
17
17
- High Level: USD $1,000 to USD $10,000
18
18
- Medium Level: USD $1,000
19
19
20
+
A great place to begin your research is by working on our testnet. Please see our [documentation](https://docs.threshold.network) to get started. We ask that you please respect network machines and their owners. If you find a vulnerability that you suspect has given you access to a machine against the owner's permission, stop what you're doing and create a report using the immunefi dashboard for researchers.
21
+
20
22
### Out of Scope Impacts
21
23
22
24
Please note that the following impacts and attack vectors are excluded from rewards for the Immunefi bug bounty program:
@@ -57,15 +59,7 @@ Rewards are distributed according to the impact of the vulnerability based on th
57
59
58
60
## Reporting a Vulnerability Not Covered by the Bug Bounty Program
59
61
60
-
For those assets that are not covered in the Immunefi Bug Bounty program, (please see the updated program [here](https://immunefi.com/bounty/thresholdnetwork/)), if you identify any vulnerabilities within the Threshold Network code and outside our bounty program, please let us know. You can send an email to `security@threshold.network` with relevant information about your findings. We will work with researchers to coordinate vulnerability disclosure between our stakers, partners, and users to ensure the successful mitigation of vulnerabilities.
61
-
62
-
Throughout the reporting process, we expect researchers to honor an embargo period that may vary depending on the severity of the disclosure. This ensures that we have the opportunity to fix any issues, identify further issues (if any), and inform our users.
63
-
64
-
Sometimes vulnerabilities are more sensitive in nature and require extra precautions. We are happy to work together to use a more secure medium, such as Signal. Email security@threshold.network and we will coordinate a communication channel that we're both comfortable with.
65
-
66
-
A great place to begin your research is by working on our testnet. Please see our [documentation](https://docs.threshold.network) to get started. We ask that you please respect network machines and their owners. If you find a vulnerability that you suspect has given you access to a machine against the owner's permission, stop what you're doing and immediately email `security@threshold.network`.
67
-
68
-
Threshold DAO will make a best effort to respond to a new report **within 48 hours**. This response may be a simple acknowledgement that the report was received, or may be an initial assessment from the team. Unless the report is assessed as irrelevant or incorrect, this response will include expected next steps and communication time frames.
62
+
Security researchers are encouraged to submit issues outside of the outlined Impacts and Assets in Scope. If you can demonstrate a critical impact on code in production for an asset not in scope, Threshold DAO encourages you to submit your bug report using the “primacy of impact exception” asset in Immunefi.
69
63
70
64
Threshold DAO will try to make an initial assessment of a bug's relevance, severity, and exploitability, and communicate this back to the reporter. The Threshold DAO will compensate important findings on a case-by-case basis. We value security researchers and we encourage you to contact us to discuss your findings.
0 commit comments