|
1 | | -# Liquidity Provider Server Security Process |
| 1 | +# RootstockLabs's Security Process |
2 | 2 |
|
3 | 3 | We are committed to conduct our security process in a professional and civil manner. Public shaming, under-reporting or misrepresentation of vulnerabilities will not be tolerated. |
4 | 4 |
|
5 | 5 | ## Responsible Disclosure |
6 | 6 |
|
7 | | -For all security related issues, Liquidity Provider Server has two main points of contact. Reach us at `security@rootstocklabs.com` or refer to our [Bug Bounty Program](https://www.rootstocklabs.com/bug-bounty-program). **Do not open up a GitHub issue if the bug is a security vulnerability** |
| 7 | +For all security related issues, RootstockLabs has two main points of contact. Reach us at <security@rootstocklabs.com> or refer to our [Bug Bounty Program](https://www.rootstocklabs.com/bug-bounty-program/). **Do not open up a GitHub issue if the bug is a security vulnerability** |
8 | 8 |
|
9 | 9 | **Ensure the bug was not already reported** by searching on GitHub under [Issues](https://github.com/rsksmart/liquidity-provider-server/issues). |
10 | 10 |
|
11 | | -## Vulnerability Handling |
| 11 | +## Disclouse Policy |
12 | 12 |
|
13 | | -### Response Time |
| 13 | +- Follow Immunefi's [disclosure guidelines](https://immunefi.com/responsible-publication/). |
| 14 | +- Public disclosure of a vulnerability makes it ineligible for a bounty. |
14 | 15 |
|
15 | | -RootstockLabs will make a best effort to meet the following response times for reported vulnerabilities: |
16 | | - |
17 | | -* Time to first response (from report submit) - 5 business days |
18 | | -* Time to triage (from report submit) - 7 business days |
19 | | -* Time to bounty (from triage) - 15 business days |
20 | | - |
21 | | -We'll try to keep you informed about our progress throughout the process. |
22 | | - |
23 | | -### Disclouse Policy |
24 | | - |
25 | | -* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). |
26 | | -* Public disclosure of a vulnerability makes it ineligible for a bounty. If the user reports the vulnerability to other security teams (e.g. Ethereum or ETC) but reports to RootstockLabs with considerable delay, then RootstockLabs may reduce or cancel the bounty. |
27 | | - |
28 | | -For more information check RootstockLabs bounty program policy at [HackerOne](https://hackerone.com/rootstocklabs) |
| 16 | +For more information check RootstockLabs bounty program policy at [Immunefi](https://immunefi.com/bug-bounty/rootstocklabs/information) |
29 | 17 |
|
30 | 18 | ## Public Keys |
31 | 19 |
|
32 | 20 | ### Security |
33 | 21 |
|
34 | | -``` |
| 22 | +```gpg |
35 | 23 | -----BEGIN PGP PUBLIC KEY BLOCK----- |
36 | 24 | Version: GnuPG v2 |
37 | 25 |
|
@@ -140,4 +128,4 @@ v0FjOkVKB3PSHj1q4fogldX0Yb55tUa3rX0Rb8QEKInQj8FFPd44XHclv9PTv0OL |
140 | 128 | IfHtYt8huvu34FA85HR8wAOPiqvyJ7Oj |
141 | 129 | =r7Yf |
142 | 130 | -----END PGP PUBLIC KEY BLOCK----- |
143 | | -``` |
| 131 | +``` |
0 commit comments