From b13b7620b420307f2f23d92e2b5ff450f1188a84 Mon Sep 17 00:00:00 2001 From: Tess Rinearson Date: Fri, 9 Apr 2021 02:59:57 -0700 Subject: [PATCH] security: update policy after latest security release (#6336) --- SECURITY.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 351f5606c..23e5fcc42 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -46,8 +46,9 @@ The following is an example timeline for the triage and response. The required r 1. Request CVE number (ADMIN) 2. Gather emails and other contact info for validators (COMMS LEAD) -3. Test fixes on a testnet (TENDERMINT ENG, COSMOS ENG) -4. Write “Security Advisory” for forum (TENDERMINT LEAD) +3. Create patches in a private security repo, and ensure that PRs are open targeting all relevant release branches (TENDERMINT ENG, TENDERMINT LEAD) +4. Test fixes on a testnet (TENDERMINT ENG, COSMOS ENG) +5. Write “Security Advisory” for forum (TENDERMINT LEAD) #### 24 Hours Before Release Time @@ -114,6 +115,9 @@ Assuming less than 1/3 of the voting power is Byzantine (malicious): * A node halting (liveness failure) * Syncing new and old nodes +Assuming more than 1/3 the voting power is Byzantine: + +* Attacks that go unpunished (unhandled evidence) ### Networking @@ -139,7 +143,7 @@ Attacks may come through the P2P network or the RPC layer: ### Libraries -* Serialization (Amino) +* Serialization * Reading/Writing files and databases ### Cryptography