CCSS should include a requirement for a clear guidelines on how to report security vulnerabilities and mitigate possible attacks. It should lower risk and any legal barriers for honest security researchers to report security vulnerability and define clear conditions on how to report vulnerability, what a security researcher can or cannot do (for example they should never make a fraudulent transaction) and define processes and response times (for example in finding a critical vulnerability in key generation scheme, response time of security team should be in a matter of minutes, to be able to securely transfer funds to a safe wallet).
In level 3, a clearly defined bug bounty program with rewards proportionate to the funds being secured should be published, which motivates researchers to spend their resources on assessing the security and increase the probability of a honest researcher reporting the bug in contrast to a black-hat hacker exploiting it for their own benefit.
Conditions for reporting and bug bounty program should be clearly defined and published.
All bug reports should be securely transmitted using either a well known and signed PGP public key or through HTTPS connection (which should store the bug report in an encrypted way to the security team).
CCSS should include a requirement for a clear guidelines on how to report security vulnerabilities and mitigate possible attacks. It should lower risk and any legal barriers for honest security researchers to report security vulnerability and define clear conditions on how to report vulnerability, what a security researcher can or cannot do (for example they should never make a fraudulent transaction) and define processes and response times (for example in finding a critical vulnerability in key generation scheme, response time of security team should be in a matter of minutes, to be able to securely transfer funds to a safe wallet).
In level 3, a clearly defined bug bounty program with rewards proportionate to the funds being secured should be published, which motivates researchers to spend their resources on assessing the security and increase the probability of a honest researcher reporting the bug in contrast to a black-hat hacker exploiting it for their own benefit.
Conditions for reporting and bug bounty program should be clearly defined and published.
All bug reports should be securely transmitted using either a well known and signed PGP public key or through HTTPS connection (which should store the bug report in an encrypted way to the security team).