docs: add SECURITY.md #2176
+75
−0
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,75 @@ | ||
| # Security Policy | ||
|
|
||
| ## Introduction | ||
|
|
||
| Security researchers are essential in identifying vulnerabilities that may impact the Axelar Network. If you have discovered a security vulnerability in the Axelar chain or any repository managed by Axelar, we encourage you to notify us using one of the methods outlined below. | ||
|
|
||
| ### Guidelines for Responsible Vulnerability Testing and Reporting | ||
|
|
||
| 1. **Refrain from testing vulnerabilities on our publicly accessible environments**, including but not limited to: | ||
| - Axelar mainnet | ||
| - Axelar Frontend Apps e.g satellite.money | ||
| - Axelar Testnet | ||
| - Axelar Testnet Frontend Apps e.g testnet.satellite.money | ||
|
There was a problem hiding this comment.
|
||
|
|
||
| 2. **Avoid reporting security vulnerabilities through public channels, including GitHub issues** | ||
|
|
||
| ## Reporting Security Issues | ||
|
|
||
| To privately report a security vulnerability, please choose one of the following options: | ||
|
|
||
| ### 1. Email | ||
|
|
||
| Send your detailed vulnerability report to `[email protected]`. | ||
|
There was a problem hiding this comment. should this be switched to interoplabs domain? if not, let's forward emails to interoplabs for convenience. |
||
|
|
||
| ### 2. Bug Bounty Program | ||
|
|
||
| Axelar is partnered with Immunefi to offer a bug bounty program. Please visit [Immunefi's website](https://immunefi.com/bug-bounty/axelarnetwork/information/) for more information. | ||
|
|
||
| ## Submit Vulnerability Report | ||
|
|
||
| When reporting a vulnerability through either method, please include the following details to aid in our assessment: | ||
|
|
||
| - Type of vulnerability | ||
| - Description of the vulnerability | ||
| - Steps to reproduce the issue | ||
| - Impact of the issue | ||
| - Explanation of how an attacker could exploit it | ||
|
|
||
| > [!NOTE] | ||
| > Review our criteria in the [Official Docs](https://docs.axelar.dev/resources/bug-bounty/#vulnerability-criteria) | ||
|
|
||
| ## Vulnerability Disclosure Process | ||
|
|
||
| 1. **Initial Report**: Submit the vulnerability via one of the above channels. | ||
| 2. **Confirmation**: We will confirm receipt of your report within 48 hours. | ||
| 3. **Assessment**: Our security team will evaluate the vulnerability and inform you of its severity and the estimated time frame for resolution. | ||
| 4. **Resolution**: Once fixed, you will be contacted to verify the solution. | ||
| 5. **Public Disclosure**: Details of the vulnerability may be publicly disclosed after ensuring it poses no further risk. | ||
|
There was a problem hiding this comment. perhaps |
||
|
|
||
| During the vulnerability disclosure process, we ask security researchers to keep vulnerabilities and communications around vulnerability submissions private and confidential until a patch is developed. Should a security issue require a network upgrade, additional time may be needed to raise a governance proposal and complete the upgrade. | ||
|
|
||
| During this time: | ||
|
|
||
| - Avoid exploiting any vulnerabilities you discover. | ||
| - Demonstrate good faith by not disrupting or degrading Axelar's services. | ||
|
|
||
| ## Severity Characterization | ||
|
|
||
| | Severity | Description | | ||
| |--------------|-------------------------------------------------------------------------| | ||
| | **CRITICAL** | Immediate threat to critical systems (e.g., chain halts, funds at risk) | | ||
|
There was a problem hiding this comment. remove chain halt. we might change severity for that |
||
| | **HIGH** | Significant impact on major functionality | | ||
| | **MEDIUM** | Impacts minor features or exposes non-sensitive data | | ||
| | **LOW** | Minimal impact | | ||
|
|
||
| ## Bug Bounty | ||
|
|
||
| Our bug bounty program is managed by Immunefi. Please visit [Immunefi's website](https://immunefi.com/bug-bounty/axelarnetwork/information/) for more information. | ||
|
|
||
| > [!WARNING] | ||
| > Targeting our production environments will disqualify you from receiving any bounty. | ||
|
|
||
| ## Feedback on this Policy | ||
|
|
||
| For recommendations on how to improve this policy, either submit a pull request or send an email to `[email protected]`. | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
extra leading space