Skip to content

Security: scrtlabs/SecretNetwork

Security

SECURITY.md

Secret Network Bug Reporting and Feature Requests

SCRT Labs uses GitHub to manage feature requests and bugs for Secret Network. This is done via GitHub Issues.

Feature Request

For a feature request, please create a GitHub issue. Clearly state your use case and what value it will bring to other users or developers on Secret Network.

If it is something that can be handled by a param change, discuss it on the forum, on Telegram or on Discord in #🏛governance and consider a governance proposal.

Standard Priority Bug

For a bug that is non-sensitive and/or operational in nature rather than a critical vulnerability, please add it as a GitHub issue.

Critical bug or security issue

If you're here because you're trying to figure out how to notify us of a security issue, please email us at [email protected].

Please avoid opening public issues on GitHub that contain information about a potential security vulnerability as this makes it difficult to reduce the impact and harm of valid security issues.

Coordinated Vulnerability Disclosure Policy

We ask security researchers to keep vulnerabilities and communications around vulnerability submissions private and confidential until a patch is developed. In addition to this, we ask that you:

  • Allow us a reasonable amount of time to correct or address security vulnerabilities.
  • Avoid exploiting any vulnerabilities that you discover.
  • Demonstrate good faith by not disrupting or degrading Secret Network's services.

Vulnerability Disclosure Process

  • Once a security report is received, the SCRT Labs development team works to verify the issue.
  • Patches are prepared for eligible releases in private repositories.
  • We notify the community that a security release is coming, to give users and node operators time to prepare their systems for the update. Notifications can include Telegram & Discord messages, tweets, and emails to partners and validators.
  • Once the community is ready, the fixes are applied publicly, new releases are issued and the source code is made public.
  • Then we will pay out any relevant bug bounties to submitters.

This process can take some time. Every effort will be made to handle the bug in as timely a manner as possible. However, it's important that we follow the process described above to ensure that disclosures are handled consistently and to keep Secret Network and the projects running on it secure.

There aren’t any published security advisories