From 06e72c4fc09be363bcefbc41ef3e442a45ad4cca Mon Sep 17 00:00:00 2001 From: arthurgousset <46296830+arthurgousset@users.noreply.github.com> Date: Thu, 1 Feb 2024 20:23:20 +0000 Subject: [PATCH] docs(SECURITY): deletes `SECURITY.md` in favour of org-wide file --- SECURITY.md | 80 ----------------------------------------------------- 1 file changed, 80 deletions(-) delete mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md deleted file mode 100644 index 3adae2c15..000000000 --- a/SECURITY.md +++ /dev/null @@ -1,80 +0,0 @@ -![CELO Bug Bounty Program Intigriti](https://i.postimg.cc/SRvP51Vr/Celo-Notion-Banner-Forest.png) - -# Security - -## Security Announcements - -> Public announcements of new releases with security fixes and of disclosure of any vulnerabilities will be made in the Celo Forum's [Security Announcements](https://forum.celo.org/c/security-announcements/) channel. - -# Reporting a Vulnerability - We’re extremely grateful for security researchers and users that report vulnerabilities to the Celo community. All reports are thoroughly investigated. - -### **Please do not file a public ticket** mentioning any vulnerability. - -The Celo community asks that all suspected vulnerabilities be privately and responsibly disclosed. - -## Creating a report: -1. Submit your vulnerability to [Celo on Intigriti](https://app.intigriti.com/programs/clabs/clabs/detail). - - This is currently a public program -2. You can also email the [security@clabs.co](mailto:security@clabs.co) list with the details of reproducing the vulnerability as well as the usual details expected for all bug reports. - -## Primary Focus -- Celo protocol, but the team may be able to assist in coordinating a response to a vulnerability in the third-party apps or tools in the Celo ecosystem. - -# In Scope ---------------------------------------------- - https://celo.org - https://\*.celo.org - https://\*.clabs.co - https://github.com/celo-org/* - -# Out of Scope ----------------------------------------------------------------------------------------------------------------- -Verbose messages/files/directory listings without disclosing any sensitive information -CORS misconfiguration on non-sensitive endpoints -Missing cookie flags -Missing security headers -Presence of autocomplete attribute on web forms -Bypassing rate-limits -Clickjacking on pages with no sensitive actions -Host header injection without proven business impact -Anything related to email spoofing, SPF, DMARC or DKIM -Open ports without an accompanying proof-of-concept demonstrating vulnerability -Open write access of documents pertain to the community - -# General ----------------------------------------------------------------------------------------------------------------- -- In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate -- Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited, may be excluded or be lowered in severity -- Spam, social engineering and physical intrusion -- DoS/DDoS attacks or brute force attacks -- Vulnerabilities that are limited to non-current browsers (older than 3 versions) will not be accepted -- Attacks requiring physical access to a victim’s computer/device, man in the middle or compromised user accounts -- Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty. -- Reports that state that software is out of date/vulnerable without a proof-of-concept - -# Frequently Asked Questions - -- ### What will happen if a vulnerability is reported and is known to the company from their own tests,? - - It will be flagged as a duplicate -- ### What kind of exploits are excluded from the program or may be lowered in severity? - - Reports that state that software is out of date/vulnerable without a proof-of-concept - - Theoretical security issues with no realistic exploit scenario(s) or attack surfaces - - Issues that would require complex end user interactions to be exploited, may be excluded or be lowered in severity - - Spam, social engineering and physical intrusion - - DoS/DDoS attacks or brute force attacks - - Vulnerabilities that are limited to non-current browsers (older than 3 versions) will not be accepted - - Attacks requiring physical access to a victim’s computer/device will not be accepted. - - Man in The Middle - - Compromised User Accounts -- ### Do you accept recently disclosed zero-day vulnerabilities? - - We need time to patch our systems just like everyone else - please give us 2 weeks before reporting - - -# Optional Method for Disclosure -### You may encrypt your email using this GPG key (but encryption is NOT required) - -``` -PGP Fingerprint ID: A22B62A5EAFB6948 -``` -