teor2345
commented
3 years ago Putting this in the last sprint, so we remember to do it before mainnet activation.
Open dconnolly opened 3 years ago
teor2345
commented
3 years ago Putting this in the last sprint, so we remember to do it before mainnet activation.
mpguerra
commented
3 years ago Do we still want to/need to do this?
teor2345
commented
2 years ago We're getting closer to the stable release candidate series, so this is a medium priority now.
teor2345
commented
1 year ago Here are some reasons to make our first secure contact method a PGP key:
If we want to get the same disclosures as zcashd: https://github.com/zcash/zcash/blob/master/SECURITY.md#receiving-disclosures
If we want to conform to accepted responsible disclosure standards within the cryptocurrency community: https://github.com/RD-Crypto-Spec/Responsible-Disclosure/tree/d47a5a3dafa5942c8849a93441745fdd186731e6#giving-details
We can add additional secure contact methods, but in my opinion they should be separate tickets. That allows us to give them different schedules and priorities.
dconnolly
commented
1 year ago Some resources:
mpguerra
commented
1 year ago I've started coordinating on this
mpguerra
commented
1 year ago removing from sprint, I still have it on my to do list to do asap
And publish the public key in our responsible_disclosure.md statement. Ideally created on yubikeys, with backups. Elucidate the creation, rotation, and EOL'ing keys.
For now we have an old draft at: https://docs.google.com/document/d/1ORGAzAYq5vc86SxBlugYAE5daLbnTRCIZSELCvFKZaY
After discussion/review we should update the ticket text here
Quick consensus on tooling: