From f2f40d35e8b5562ba0de07fb54925908330818b3 Mon Sep 17 00:00:00 2001 From: Leandro Ferrigno Date: Tue, 28 Jan 2025 15:44:53 -0300 Subject: [PATCH] chore: Add Security Reporting Instructions (#966) * Add SECURITY.md * Modified readme for security --- .github/SECURITY.md | 36 ++++++++++++++++++++++++++++++++++++ README.md | 9 +++++++++ 2 files changed, 45 insertions(+) create mode 100644 .github/SECURITY.md diff --git a/.github/SECURITY.md b/.github/SECURITY.md new file mode 100644 index 000000000..bda332d31 --- /dev/null +++ b/.github/SECURITY.md @@ -0,0 +1,36 @@ +# Security Policy + +## Reporting a Vulnerability + +We take the security of our project seriously. If you discover a vulnerability, we encourage you to report it responsibly so we can address it promptly. + +### How to Report + +1. Navigate to the **Security** tab of this repository. +2. Click on **"Report a Vulnerability"** to open the GitHub Security Advisories form. +3. Fill out the form with as much detail as possible, including: + - A clear description of the issue. + - Steps to reproduce the vulnerability. + - The affected versions or components. + - Any potential impact or severity details. + +Alternatively, you can send an email to **[security@lambdaclass.com](mailto:security@lambdaclass.com)** with the same details. + +### Guidelines for Reporting + +- **Do not publicly disclose vulnerabilities** until we have confirmed and fixed the issue. +- Include any proof-of-concept code, if possible, to help us verify the vulnerability more efficiently. +- If applicable, specify if the vulnerability is already being exploited. + +### Our Response Process + +- We commit to handling reports with diligence. +- We will investigate all reported vulnerabilities thoroughly and transparently. +- Once the vulnerability has been fixed, we will disclose the details publicly to ensure awareness and understanding. + + +### Reward Program + +While we do not currently offer a formal bug bounty program, we value your contribution and will recognize your efforts in our changelog or release notes (if you consent). + +Thank you for helping us improve the security of our project! diff --git a/README.md b/README.md index 2bc12767d..27202120a 100644 --- a/README.md +++ b/README.md @@ -215,3 +215,12 @@ The following links, repos, companies and projects have been important in the de - [Gnark](https://github.com/Consensys/gnark) - [Constantine](https://github.com/mratsim/constantine) - [Plonky3](https://github.com/Plonky3/Plonky3) + +# Security + +We take security seriously. If you discover a vulnerability in this project, please report it responsibly. + +- You can report vulnerabilities directly via the **[GitHub "Report a Vulnerability" feature](../../security/advisories/new)**. +- Alternatively, send an email to **[security@lambdaclass.com](mailto:security@lambdaclass.com)**. + +For more details, please refer to our [Security Policy](./.github/SECURITY.md).