|
| 1 | +# Vulnerability disclosure Loki |
| 2 | + |
| 3 | +1. This Vulnerability Response Process and subsequent bounty reward apply to the following: |
| 4 | + -Code implementation as seen in the Loki repository which sits underneath the Loki-Project |
| 5 | + -Written research from the Loki Team which dictates said code implementation |
| 6 | + |
| 7 | +2. Researchers/Hackers: while you research/hack, we ask that you please refrain from committing the following: |
| 8 | + -Denial of Service / Active exploiting against the Loki mainnet, Runechain or Service node networks |
| 9 | + -Social Engineering of Loki staff, contractors or Foundation members |
| 10 | + -Any physical or electronic attempts against Loki community property and/or data centers |
| 11 | + |
| 12 | +3. As a pro-privacy project we have volunteers running copies of the websites on hidden services on Tor and I2P, as well as on multiple public domains. **The live sites are NOT in the scope of this process; only the code is!** |
| 13 | + |
| 14 | + |
| 15 | +4. Bounty will be released for all projects in Loki (LOK) only. For more information on how to use Monero, visit the [Loki website](https://Loki.network) |
| 16 | + |
| 17 | +5. Bounty is not eligible to those who: |
| 18 | + - do not abide by the VRP for responsible disclosure |
| 19 | + |
| 20 | + |
| 21 | +## 1. Points of contact for security issues |
| 22 | + |
| 23 | +``` |
| 24 | +Kee [at] Loki.network |
| 25 | +PGP fingerprint = 8877 EEBB 9721 ABC5 DF64 9AE4 AC97 1489 5CE4 5D55 |
| 26 | +
|
| 27 | +``` |
| 28 | +``` |
| 29 | +-----BEGIN PGP PUBLIC KEY BLOCK----- |
| 30 | +Version: GnuPG v1 |
| 31 | +
|
| 32 | +mQENBFrbANQBCAC5HMKeapz+WECQ3vY1XuSOM32yUfzp4V/rY5+YvJ/Gb7wxczF2 |
| 33 | +NTLxfr7ueJTyICXcj/h7qnvdtpbN87ZhjWTZzG0lmrCIfZX75dOQIjch8DkGblEB |
| 34 | +RUG90edRx4GwYHPjfIUbIxYHcINKYMgH9jKqfHAVQD7HuvkBX1IYbNi/Kgj0wVgJ |
| 35 | +vVA94x8JCD5blqGbos7r02bZxQHujAHnC19/PQxRyZwJNI0v1xJgy6w/cQduFLzL |
| 36 | +GeEnkQfmJiSKEYzRLY3BYRSmysqD0bLGWLLSa1fcxAD+kllY1kSZXpHKH1XmErpi |
| 37 | +pRCLblQs0kZYqHDKG2gscfpuaaM4fSiGmY8nABEBAAG0H0tlZSBKZWZmZXJ5cyA8 |
| 38 | +S2VlQGxva2kubmV0d29yaz6JATwEEwEKACYFAlrbANQCGwMFCQlmRIwFCwkIBwMF |
| 39 | +FQoJCAsEFgIBAAIeAQIXgAAKCRCslxSJXORdVa7zCACAw7eEYcXlZXxXOB43TSKq |
| 40 | +BTBtqISmu0+Me94PXNGo5XOp0gzVhgXPedbuz58Y1g9aCp0/wwg5cZvh6ky8zwgt |
| 41 | +q2BtayTb36elUkcejo9IdgN+1Ruzr8bUdWQrw7w/sZGgI3ZaoMlHvm7mus1cqKH4 |
| 42 | +3gKaBYG/zPG25hgne13j365kxi+xgklvo0lL3atHV61UxdTlgDm2s4ZtfrMeV9fY |
| 43 | +DRwcIjzyYv3HWAJvD60dN1RHzTCBxiMiyl6HLawh/3dpHVDOAdrIGqHfIbzodVLW |
| 44 | +SA4JLw8at3JA8ColWkyFQj1srxvJJunT+haH32h2g9rNS/lf5z+Mdv+LfIPv/iZ5 |
| 45 | +uQENBFrbANQBCAC+4N/f+RZ8jYHW6VLPGT8nspuEyEgE++zab5XOkS8qcnP0e2sR |
| 46 | +F0G1RLlJr6hfaowEqLOO0CTIguOBpRfeTWLHzSUK+w8pFx2GfvxXAyxViNbsA5/U |
| 47 | +E4gbDgOu8AkZWOQLK0nPnE0eyBhHCz22yTJY7P5AUcbo2jw9q9Ye78GbTQx8JPXl |
| 48 | +jia/VZprMILFOGQROGkH1amqDcaNuX6iOMKS6GtyP+eElPj+IWqwMUlr9aX+ptBQ |
| 49 | +zfsw+KzgYC+RBS44SM98ZgNBEibZXKfQMT2t80riKgRUPTBQcOref9T+jAtfZl1A |
| 50 | +OAKm0tLc3o0n0WvmjvxxOOfzdpvEDya12e4VABEBAAGJASUEGAEKAA8FAlrbANQC |
| 51 | +GwwFCQlmRIwACgkQrJcUiVzkXVWaNQf8C0oYU0iN3YuA+AXGxBlfMHlxz4xhbbd7 |
| 52 | +Fn8EOIxi3scOltYeU/WvdSdXZ4IJEjydPo7TmVrQ746MUfLC+6ZfH9EDP322s+T/ |
| 53 | +TYbt3oNA0RWl2CxakpIlRKgCIuC6EEc1U32nKsXH3Uz7UVx8u9GrDxSvGhTSVppN |
| 54 | +k3nhtcWeSBtANrWuhei1MC4+bRdHHExf6kHtdDMNsuwJmG3FtlKoP9l/Vpb3KscX |
| 55 | +9FqdEYPrJSNk3QrndS/a9QzWsm4PR0LTp2+2WC2cDgFjPUqZqZVLA5hSutUVTzGG |
| 56 | +fKg1gFLyG7Ed4fSa25pe5nUSJUCjFy1HprSM+I9IsSxc8sDll60a3Q== |
| 57 | +=iX6u |
| 58 | +-----END PGP PUBLIC KEY BLOCK----- |
| 59 | +``` |
| 60 | + |
| 61 | +``` |
| 62 | +Simon [at] Loki.network |
| 63 | +PGP fingerprint = 45FF F23B 7805 CEC7 7C7E 15F6 2246 DFA8 0945 A5BD |
| 64 | +``` |
| 65 | +``` |
| 66 | +-----BEGIN PGP PUBLIC KEY BLOCK----- |
| 67 | +Version: GnuPG v1 |
| 68 | +
|
| 69 | +mQENBFrmnhgBCAC3LWatVxk3QWV7V42B++En8l3xDeQ3uAaXwRot98/4ybImAwmc |
| 70 | +ur4YCuLBXBiyZPrUQ8m6DxGG9a2RaNll+2dEkaxjDxIJsM7Op+2nUxlDBGrSS3Cf |
| 71 | +p40BxM4pDBDe1j9haSdoamujYpUDCpYTLA1npKiCUncITsmc+ivefkXBskgh66eI |
| 72 | +f69yEdeN7dvAqOWaaogBKucQfk9Si3MDXTAqm+hJbR1ByHBw/C0yXfNuq46mEVn6 |
| 73 | +Tu25cquQPIfYebXldJ4MDD5vogzPJqjMH5Kna/24PqKiR9KpI8NYjUbiRlhuJj2q |
| 74 | +SjOvks9bJ4Qf+yp7o7qA41TCecsVxdciqtnJABEBAAG0IVNpbW9uIEhhcm1hbiA8 |
| 75 | +c2ltb25AbG9raS5uZXR3b3JrPokBPAQTAQoAJgUCWuaeGAIbAwUJCWaEyAULCQgH |
| 76 | +AwUVCgkICwQWAgEAAh4BAheAAAoJECJG36gJRaW9G9QH+gLTCoILegkdJDqGvjsK |
| 77 | +r7eeD4jxuuRWcWohf+g/Xt9WUR4vOYdUY5+zXwpB7jMK0TKfNt2XMuWU6s32baXT |
| 78 | +M5dpQs7np5lCkFl7KFyz6AZtz5l8f1pW3PevMDILmqDiljFAXCYzG6GZ4AaB9s5c |
| 79 | +ikyrnRKreMdFLNR62pOCb5B8PAUBkT4BA5q2Yzfjo8oPX325zdsIlIOLvGDL8E2B |
| 80 | +28vzm0MCbnwiimCb8GlddjjpLWMjNe/SU4YeSOUxK0/zr902+X3ooJPmDtDnC5rs |
| 81 | +I5Kdfh7H9wWPbOcZhfYGL/pNZHIfIErY17qpNyv+s3YJNh/Be5dXG3QBbTcLH5xV |
| 82 | +sK65AQ0EWuaeGAEIAL3piiswJOJQHNtTbdwSc0xzTm/iPfpZUyobcSSZpVzOZUPQ |
| 83 | +D3ULlx/5RGO6cdwq+8Tz/OR+mUJHCJSxOnI+/PWMs+3ZyKPMIlhC9Khq3RiWHPQt |
| 84 | +aRD7USRSWXWwZH6JVCCFpMnhnnHfY+eJzlZC7G8nCJzUk15s/3425HTRlavfRaf7 |
| 85 | +S6i28wQ98AEUBTITOx3mesnKF7oprZX89El/ToplC0QGRNJj7ZPPNw3QAC244u7B |
| 86 | +ExKiZKSWjDpcLANB6ORQv1eriy/VuIg/dDwwVIi9pR561tmqbVM7QeIsg52QpY63 |
| 87 | +ctyHa2CrCyBt4ceR5mqJLuAWow7xmZWrT2+LA2cAEQEAAYkBJQQYAQoADwUCWuae |
| 88 | +GAIbDAUJCWaEyAAKCRAiRt+oCUWlvQL2B/9gcSBhf0FwAmVUVM/OFe1yww38i/xA |
| 89 | +IMUI5rPO8bKh5i3uOVZx7QucY9xPctu4YkCI8SgWLfOnQJtNbjbvduSVlWMjlmGW |
| 90 | +9qDOpjiFX95AFlUboZ5ii4hxAetFjCOqpMamd6DAFP7ojIbrOE3chN8axqOe4Lx0 |
| 91 | +Ydsi20b25qT+IRAoIFWker14PHoAo8Xh+JgQ7tCijS8FzLpLZh/K99qhCz32FMIH |
| 92 | +5cMPQTI3EPCo+08tWpkjC/a/vtm/Q9/55+5mbdwRVpWfmQ1X0881PybvGqQbmfrT |
| 93 | +tnRmtnBe0ZSQ8P79bMq+OQMVdrCDTUEp3JqFgH1z2yd4BIeEKN69fy6Q |
| 94 | +=iGxZ |
| 95 | +-----END PGP PUBLIC KEY BLOCK----- |
| 96 | +``` |
| 97 | + |
| 98 | +## 2. Incident response |
| 99 | + |
| 100 | +1. Researcher submits report via PGP encrypted Email to the relevant Disclosure manger (DA), use the appropriate public keys listed in section 1 to contact specific DA’s, the subject of the email should be “Vulnerability disclosure” |
| 101 | + |
| 102 | +2. In no more than 3 working days, the DA should respond to the researcher using encrypted, secure channels |
| 103 | + |
| 104 | +3. DA makes inquiries to satisfy any needed information to confirm if submission is indeed a vulnerability |
| 105 | + - a. If submission proves to be vulnerable with PoC code / exploit, proceed to next step |
| 106 | + - b. If not vulnerable: |
| 107 | + -i. DA responds with reasons why submission is not a vulnerability |
| 108 | + -ii. DA moves discussion to a new or existing ticket on GitHub if necessary |
| 109 | + |
| 110 | +4. DA Establishes severity of vulnerability: |
| 111 | + - a. HIGH: impacts network as a whole, has potential to break entire Loki network, or service nodes, could result in the loss of Loki. |
| 112 | + - b. MEDIUM: impacts individual nodes, routers, wallets, or must be carefully exploited |
| 113 | + - c. LOW: is not easily exploitable or is low impact |
| 114 | + - d. If there are any disputes regarding bug severity, the Loki Foundation will ultimately define bug severity |
| 115 | + |
| 116 | + |
| 117 | +5. Respond according to the severity of the vulnerability: |
| 118 | + - a. HIGH severities must be notified on website and reddit /r/LokiProject within 3 working days of classification |
| 119 | + - i. The notification should list appropriate steps for users to take, if any |
| 120 | + - ii. The notification must not include any details that could suggest an exploitation path |
| 121 | + - iii. The latter takes precedence over the former |
| 122 | + - b. MEDIUM and HIGH severities will require a Point Release |
| 123 | + - c. LOW severities will be addressed in the next Regular Release |
| 124 | + |
| 125 | +6. DA and Loki project team will apply appropriate patch(es) |
| 126 | + - a. DA designates a PRIVATE git "hotfix branch" to work in |
| 127 | + - b. Patches are reviewed with the researcher |
| 128 | + - c. Any messages associated with PUBLIC commits during the time of review should not make reference to the security nature of the PRIVATE branch or its commits |
| 129 | + - d. Vulnerability announcement is drafted |
| 130 | + - i. Include the severity of the vulnerability |
| 131 | + - ii. Include all vulnerable systems/apps/code |
| 132 | + - iii. Include solutions (if any) if patch cannot be applied |
| 133 | + - e. Release date is discussed |
| 134 | + |
| 135 | +7. At release date, DA coordinates with developers to finalize update: |
| 136 | + - a. Response Manager propagates the "hotfix branch" to trunk |
| 137 | + - b. Response Manager includes vulnerability announcement draft in release notes |
| 138 | + - c. Proceed with the Point or Regular Release |
| 139 | + |
| 140 | +## 3. Post-release disclosure process |
| 141 | + |
| 142 | +1. The DA has 90 days to fulfill all points within section 2 |
| 143 | + |
| 144 | +2. If the Incident Response process in section 2 is successfully completed: |
| 145 | + - a. Researcher decides whether or not to opt out of receiving name/handle/organization credit. By default, the researcher will receive name/handle/organization credit. |
| 146 | + - i. If bounty is applicable, release bounty to the researcher as defined in section "Bounty Distribution" |
| 147 | + - b. Finalize vulnerability announcement draft and include the following: |
| 148 | + - i. Project name and URL |
| 149 | + - ii. Versions known to be affected |
| 150 | + - iii. Versions known to be not affected (for example, the vulnerable code was introduced in a recent version, and older versions are therefore unaffected) |
| 151 | + - iv. Versions not checked |
| 152 | + - v. Type of vulnerability and its impact |
| 153 | + - vi. If already obtained or applicable, a CVE-ID |
| 154 | + - vii. The planned, coordinated release date |
| 155 | + - viii. Mitigating factors (for example, the vulnerability is only exposed in uncommon, non-default configurations) |
| 156 | + - ix. Workarounds (configuration changes users can make to reduce their exposure to the vulnerability) |
| 157 | + - x. If applicable, credits to the original reporter |
| 158 | + - c. Release finalized vulnerability announcement on website and reddit |
| 159 | + - e. If applicable, developers request a CVE-ID |
| 160 | + - i. The commit that applied the fix is made reference too in a future commit and includes a CVE-ID |
| 161 | + |
| 162 | + |
| 163 | +3. If the Incident Response process in section 2 is not successfully completed: |
| 164 | + - a. DA and developers organize a meeting to discuss why/what points in section 2 were not resolved and how the team can resolve them in the future |
| 165 | + - c. If disputes arise about whether or when to disclose information about a vulnerability, the DA will publicly discuss the issue via IRC and attempt to reach consensus |
| 166 | + - d. If consensus on a timely disclosure is not met (no later than 90 days), the researcher (after 90 days) has every right to expose the vulnerability to the public |
| 167 | + |
| 168 | +## 4. Bounty Amount and distribution |
| 169 | + |
| 170 | +- The Total Pool of Loki bounties is 100,000 LOK this will decrease over time as bugs are claimed, rewards are given as a percentage of the reward pool size, incentivizing fast disclosure |
| 171 | +- Bug bounties are rewarded by the severity of the Bug |
| 172 | + 1. 10% reserved for LOW severity bugs |
| 173 | + 2. 30% reserved for MEDIUM severity bugs |
| 174 | + 3. 60% for HIGH severity bugs |
| 175 | +- Each bug will receive at most 10% of their relevant category dependent on the inter-category classification by the DA |
| 176 | + |
| 177 | + |
0 commit comments