Skip to content

Latest commit

 

History

History
73 lines (46 loc) · 4.65 KB

SECURITY.md

File metadata and controls

73 lines (46 loc) · 4.65 KB
Raw

Security Policies and Reporting for Seigr

Seigr is committed to building a resilient, eco-driven decentralized system that prioritizes data security, integrity, and transparency. We take security seriously and aim to create an environment where contributors and users feel confident about reporting potential vulnerabilities. This document outlines the steps for confidentially reporting security issues and how we handle security concerns within the Seigr ecosystem.

Reporting Security Vulnerabilities

If you have identified a potential security vulnerability in Seigr, please follow the steps below to report it responsibly and securely:

  1. Contact the Security Team

    • Email our security team directly at hei@seigr.net with the subject line: Security Vulnerability Report.
    • Do not disclose the vulnerability publicly or in the GitHub Issues section to prevent potential exploitation.

  2. Provide Detailed Information

    • Description: Describe the nature of the vulnerability, including any potential impacts.
    • Reproduction Steps: Provide clear, step-by-step instructions for reproducing the vulnerability.
    • Technical Details: Include technical details, such as logs, screenshots, or system information relevant to the issue.
    • Severity Rating: If possible, provide an assessment of the vulnerability's severity and its impact on Seigr's core functions.

  3. Confidentiality

    • All reports are treated as confidential, and we request that reporters respect this by not disclosing the issue publicly until we have resolved it.
    • We will work closely with you to understand the vulnerability, confirm it, and implement any necessary patches.

Our Response Process

Once a vulnerability report is submitted, our security team follows a structured response process:

  1. Acknowledgment

    • We aim to acknowledge all reports within 48 hours of submission. Our team may contact you for further clarification or additional details as necessary.

  2. Investigation

    • The security team will verify the issue, assess its impact, and determine the scope of necessary changes. We strive to complete this assessment within five business days, depending on the complexity of the issue.

  3. Remediation and Fix

    • After confirming the issue, our developers will prioritize creating a fix. Patches or updates will be developed, tested, and scheduled for release. We aim to address critical vulnerabilities as soon as possible, usually within 14 days.

  4. Notification

    • Once the issue is resolved, we will notify the reporter with details of the fix and expected release dates. If the vulnerability requires an immediate patch, we will coordinate with the reporter on the best approach for communication.

  5. Public Disclosure

    • We believe in transparency and will document resolved vulnerabilities in our release notes or advisories after patches are available. Vulnerabilities will only be disclosed once a fix is in place, and we will work with reporters to determine the appropriate timing and format for disclosure.

Scope

Seigr’s security policies and reporting guidelines apply to:

  • Core Seigr Codebase: Any code within the main Seigr repository.
  • Protocol Buffers and Modules: Security vulnerabilities found in .proto files or specific modules, such as replication, lineage management, and senary encoding.
  • Third-Party Integrations: Issues found in Seigr’s integration with external services (e.g., IPFS) should also be reported here. We will coordinate with third-party providers as necessary.

Responsible Disclosure and Code of Conduct

We strongly support responsible disclosure and appreciate the community’s efforts to report security issues with integrity and respect for confidentiality. Reporters who adhere to our disclosure guidelines will be recognized and may be eligible for acknowledgment within the Seigr project.

Code of Conduct

  • Do not exploit vulnerabilities or test security issues in a way that may compromise the Seigr network or user data.
  • Respect Confidentiality: Please avoid sharing the issue outside of the official reporting channels until an official patch has been released.
  • Communicate Transparently: Engage openly and constructively with our team as we work to resolve reported issues.

Security Contact

For any questions, clarifications, or follow-ups on security reports, please contact security@seigr-lab.org.

We are grateful for the community's commitment to helping Seigr remain a secure, adaptive, and ethically driven ecosystem. Thank you for your dedication to responsible reporting and sustainable innovation.