chore: add SECURITY.md (#1328)

rnbguy · greg-szabo · web-flow · commit b6f422204433 · 2024-11-15T11:18:19.000Z
* add SECURITY.md

Signed-off-by: Rano | Ranadeep &lt;ranadeep@informal.systems&gt;

* update SECURITY.md

Signed-off-by: Rano | Ranadeep &lt;ranadeep@informal.systems&gt;

* apply suggestions from code review

Co-authored-by: Greg Szabo &lt;16846635+greg-szabo@users.noreply.github.com&gt;
Signed-off-by: Rano | Ranadeep &lt;ranadip.bswas@gmail.com&gt;

* fmt

Signed-off-by: Rano | Ranadeep &lt;ranadeep@informal.systems&gt;

* original interchain text

* rm mention of bounty

---------

Signed-off-by: Rano | Ranadeep &lt;ranadeep@informal.systems&gt;
Signed-off-by: Rano | Ranadeep &lt;ranadip.bswas@gmail.com&gt;
Co-authored-by: Greg Szabo &lt;16846635+greg-szabo@users.noreply.github.com&gt;
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,40 @@
+# Security Policy
+
+## Reporting a Security Vulnerability
+
+If you believe you have found a security vulnerability in the Interchain Stack,
+you can report it to our primary vulnerability disclosure channel, the
+[Cosmos HackerOne program][hackerone-bug].
+
+> [!NOTE]
+> The `ibc-rs` is **NOT** part of the rewards program. Any issues reported for
+> `ibc-rs` are not eligible for bounty rewards.
+
+If you prefer to report an issue via email, you may send a bug report to
+security@interchain.io with the issue details, reproduction, impact, and other
+information. Please submit only one unique email thread per vulnerability.
+
+<!-- Any issues reported via email are ineligible for bounty rewards. -->
+
+Artifacts from an email report are saved at the time the email is triaged.
+Please note: our team cannot monitor dynamic content (e.g. a Google Docs link
+that is edited after receipt) throughout the lifecycle of a report. If you would
+like to share additional information or modify previous information, please
+include it in an additional reply as an additional attachment.
+
+Please **DO NOT** file a public issue in this repository to report a security
+vulnerability.
+
+## Coordinated Vulnerability Disclosure Policy and Safe Harbor
+
+For the most up-to-date version of the policies that govern vulnerability
+disclosure, please consult the [HackerOne program page][hackerone-policy].
+
+The policy hosted on HackerOne is the official Coordinated Vulnerability
+Disclosure policy and Safe Harbor for the Interchain Stack, and the teams and
+infrastructure it supports, and it supersedes previous security policies that
+have been used in the past by individual teams and projects with targets in
+scope of the program.
+
+[hackerone-bug]: https://hackerone.com/cosmos?type=team
+[hackerone-policy]: https://hackerone.com/cosmos?type=team&view_policy=true
