From c3c8cc21ff2191f960df89bb1edf3ee9010a315a Mon Sep 17 00:00:00 2001 From: Zaxounette <51208677+Zaxounette@users.noreply.github.com> Date: Mon, 24 Apr 2023 08:04:56 +0200 Subject: [PATCH] Security Page Refactor (#4815) * Update SECURITY.md * typo * project vs product * Suggestion Update - Docker Deployment Co-authored-by: d11n * Suggestion - Email highlight Co-authored-by: d11n --------- Co-authored-by: d11n --- SECURITY.md | 76 +++++++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 71 insertions(+), 5 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index b12f96cfd..f113e75f8 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,9 +1,75 @@ -# How to handle security issues and bug reports? +# Reporting a potential Vulnerability. + +We take the security of our project seriously, and we encourage responsible disclosure of any vulnerabilities that may be found. To facilitate this process, we have established the following vulnerability reporting process. -Security issues and bugs should be reported privately via email. To report a security issue, please email **security@btcpayserver.org** (not for support). +We appreciate your efforts to disclose your findings responsibly. -You will receive a reply indicating the next steps in handling your report. If, for some reason, you do not receive a response within 24 hours, please follow up via email to ensure the original message was received. +##### 1. Reporting Channel +If you believe you have discovered a vulnerability in our project, please email us at `security@btcpayserver.org`. Alternatively, you may report the vulnerability to us through [huntr.dev](https://huntr.dev/repos/btcpayserver/btcpayserver/). -After the initial reply to your report, you will be informed of the progress towards a fix and full announcement. You may be asked to provide additional information or guidance. +Please allow for up to 2 business days for an acknowledgement of receipt. If you receive no response within 2 business days, please follow up via email to ensure the original message was received. -We appreciate your efforts to disclose your findings responsibly and will make every effort to acknowledge your contributions. +Upon review of your report, you may be asked to provide additional information or guidance. + + + +##### 2. In-Scope + +We welcome reports of vulnerabilities in repositories owned by the [BTCPay Server Github Organization](https://github.com/btcpayserver). This includes any issues related to the confidentiality, integrity, or availability of systems or data in these systems. + +##### 3. Out of Scope + +1. Any BTCPay Server deployment that has been customized in any way. To facilitate reproducibility, please verify that the BTCPay Server instance is based on the un-altered source-code or [Docker deployment](https://docs.btcpayserver.org/Docker/). +2. Any BTCPay Server plugin that is not authored by `btcpayserver` as stated by the author tag in-app. + +##### 4. Preferred Reporting Template + +We encourage the use of a reporting template that includes a detailed description of the vulnerability, any evidence or proof of concept, and steps to reproduce the vulnerability. + +Please find an example of an email template [at the end of this document](#7-reporting-template-example). + +##### 5. Timeline for Remediation + +While we will work to remediate the reported vulnerability within 90 business days from the acknowledgment of the report, being a team of volunteers, we cannot guarantee this timeline to be accurate at all time. + +We will provide regular updates to the reporter until the vulnerability is resolved. + +##### 6. Timeline to Public Disclosure + +We will work with the reporter to define a suitable timeline to public disclosure once the vulnerability is remediated. + + + +##### 7. Reporting Template Example + + +Feel free to use the below template to report a vulnerability. + +``` +Subject: Vulnerability Report - BTCPay Server + +Dear BTCPay Server team, +I am writing to report a security vulnerability that I have identified in BTCPay Server. I believe this vulnerability poses a significant threat to the security of the project and its users. + +Here are the details of the vulnerability: + +* Vulnerability description: [Provide a clear and concise description of the vulnerability] +* Impact: [Describe the potential impact of the vulnerability, ie. any potential consequences for the project, its users, or any third parties] +* Affected version(s): [Specify which version(s) of the project are affected by the vulnerability] +* Steps to reproduce & Proof of Concept: [Provide a step-by-step guide to reproduce the vulnerability, including any screenshots and code snippets you feel would help] +* Severity: [Provide your assessment of the severity of the vulnerability, using a scale such as Warning/Low/Medium/High/Critical] +* Mitigation or Fix: [Provide your recommendation for a solution or mitigation strategy for the vulnerability] + +If needed, I [agree/do not agree] to be invited into a Github private fork for the purpose of helping resolve this vulnerability. [Please include a link to your github profile] + +Please let me know if you need any further information or if you would like to discuss this vulnerability in more detail. + +Thank you for your attention to this matter. + +Sincerely, +[Your Name/Handle] + +``` \ No newline at end of file