|
1 | | -# RSK's Security Process |
| 1 | +# 2WP-API Security Process |
2 | 2 |
|
3 | 3 | We're committed to conduct our security process in a professional and civil manner. Public shaming, under-reporting or misrepresentation of vulnerabilities will not be tolerated. |
4 | 4 |
|
5 | 5 | ## Responsible Disclosure |
6 | 6 |
|
7 | | -For all security related issues, RSK has to main points of contact. Reach us at <security@iovlabs.org> or refer to our [Bug Bounty Program.](https://www.rsk.co/bounty-program/) **Do not open up a GitHub issue if the bug is a security vulnerability.** |
| 7 | +For all security related issues, RootstockLabs has to main points of contact. Reach us at <security@rootstocklabs.com> or refer to our [Bug Bounty Program.](https://www.rootstocklabs.com/bug-bounty-program) **Do not open up a GitHub issue if the bug is a security vulnerability.** |
8 | 8 |
|
9 | 9 | **Ensure the bug was not already reported** by searching on Github under [Issues](https://github.com/rsksmart/2wp-api/issues). |
10 | 10 |
|
11 | 11 | ## Vulnerability Handling |
12 | 12 |
|
13 | 13 | ### Response Time |
14 | 14 |
|
15 | | -RSK will make a best effort to meet the following response times for reported vulnerabilities: |
| 15 | +RootstockLabs will make a best effort to meet the following response times for reported vulnerabilities: |
16 | 16 |
|
17 | | -* Time to first response (from report submit) - 24 hours |
18 | | -* Time to triage (from report submit) - 2 business days |
| 17 | +* Time to first response (from report submit) - 5 business days |
| 18 | +* Time to triage (from report submit) - 7 business days |
19 | 19 | * Time to bounty (from triage) - 15 business days |
20 | 20 |
|
21 | 21 | We’ll try to keep you informed about our progress throughout the process. |
22 | 22 |
|
23 | 23 | ### Disclouse Policy |
24 | 24 |
|
25 | 25 | * Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). |
26 | | -* Public disclosure of a vulnerability makes it ineligible for a bounty. If the user reports the vulnerability to other security teams (e.g. Ethereum or ETC) but reports to RSK with considerable delay, then RSK may reduce or cancel the bounty. |
| 26 | +* Public disclosure of a vulnerability makes it ineligible for a bounty. |
27 | 27 |
|
28 | | -For more information check RSK bounty program policy at [HackerOne](https://hackerone.com/iovlabs) |
| 28 | +For more information check RootstockLabs bounty program policy at [HackerOne](https://hackerone.com/rootstocklabs) |
29 | 29 |
|
30 | 30 | ## Public Keys |
31 | 31 |
|
|
0 commit comments