From 7ad090367c1725c8e86944e17743f44dabeb0f24 Mon Sep 17 00:00:00 2001 From: teor Date: Thu, 28 Jan 2021 18:04:32 +1000 Subject: [PATCH] Add security disclosure principles Make our security disclosure goals and principles explicit, including: - prioritising users and researchers - assuming good faith - operating a no fault process - working with researchers regardless of how they disclose (but we prefer this process) --- responsible_disclosure.md | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/responsible_disclosure.md b/responsible_disclosure.md index 79f3cce0..42ebd445 100644 --- a/responsible_disclosure.md +++ b/responsible_disclosure.md @@ -1,11 +1,24 @@ This page is copyright Zcash Foundation, 2021. It is posted in order to conform to this standard: https://github.com/RD-Crypto-Spec/Responsible-Disclosure/tree/d47a5a3dafa5942c8849a93441745fdd186731e6 # Security Disclosures + +## Disclosure Principles + +The Zcash Foundation's security disclosure process aims to achieve the following goals: +- protecting Zcash users and the wider Zcash ecosystem +- respecting the work of security researchers +- improving the ongoing health of the Zcash ecosystem + +Specifically, we will: +- assume good faith from researchers and ecosystem partners +- operate a no fault process, focusing on the technical issues +- work with security researchers, regardless of how they choose to disclose issues + ## Receiving Disclosures The Zcash Foundation is committed to working with researchers who submit security vulnerability notifications to us to resolve those issues on an appropriate timeline and perform a coordinated release, giving credit to the reporter if they would like. -Please submit issues to security@zfnd.org. +Our best contact for security issues is security@zfnd.org. ## Sending Disclosures