chore: add SECURITY.md (#1328)

* add SECURITY.md Signed-off-by: Rano | Ranadeep <ranadeep@informal.systems> * update SECURITY.md Signed-off-by: Rano | Ranadeep <ranadeep@informal.systems> * apply suggestions from code review Co-authored-by: Greg Szabo <16846635+greg-szabo@users.noreply.github.com> Signed-off-by: Rano | Ranadeep <ranadip.bswas@gmail.com> * fmt Signed-off-by: Rano | Ranadeep <ranadeep@informal.systems> * original interchain text * rm mention of bounty --------- Signed-off-by: Rano | Ranadeep <ranadeep@informal.systems> Signed-off-by: Rano | Ranadeep <ranadip.bswas@gmail.com> Co-authored-by: Greg Szabo <16846635+greg-szabo@users.noreply.github.com>
informalsystems · Nov 15, 2024 · b6f4222 · b6f4222
1 parent 81625d6
commit b6f4222
Showing 1 changed file with 40 additions and 0 deletions.
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,40 @@
+# Security Policy
+
+## Reporting a Security Vulnerability
+
+If you believe you have found a security vulnerability in the Interchain Stack,
+you can report it to our primary vulnerability disclosure channel, the
+[Cosmos HackerOne program][hackerone-bug].
+
+> [!NOTE]
+> The `ibc-rs` is **NOT** part of the rewards program. Any issues reported for
+> `ibc-rs` are not eligible for bounty rewards.
+
+If you prefer to report an issue via email, you may send a bug report to
+security@interchain.io with the issue details, reproduction, impact, and other
+information. Please submit only one unique email thread per vulnerability.
+
+<!-- Any issues reported via email are ineligible for bounty rewards. -->
+
+Artifacts from an email report are saved at the time the email is triaged.
+Please note: our team cannot monitor dynamic content (e.g. a Google Docs link
+that is edited after receipt) throughout the lifecycle of a report. If you would
+like to share additional information or modify previous information, please
+include it in an additional reply as an additional attachment.
+
+Please **DO NOT** file a public issue in this repository to report a security
+vulnerability.
+
+## Coordinated Vulnerability Disclosure Policy and Safe Harbor
+
+For the most up-to-date version of the policies that govern vulnerability
+disclosure, please consult the [HackerOne program page][hackerone-policy].
+
+The policy hosted on HackerOne is the official Coordinated Vulnerability
+Disclosure policy and Safe Harbor for the Interchain Stack, and the teams and
+infrastructure it supports, and it supersedes previous security policies that
+have been used in the past by individual teams and projects with targets in
+scope of the program.
+
+[hackerone-bug]: https://hackerone.com/cosmos?type=team
+[hackerone-policy]: https://hackerone.com/cosmos?type=team&view_policy=true