Coordinated Vulnerability Disclosure

[HDauven]

Summary

Given that the Dusk protocol is set out to secure billions in assets, it stands to reason that the libraries underlying the protocol should be secure.

The risk of critical vulnerabilities being found in a blockchain network can be significant. To reduce security, reputation and legal risk, there is value in adding a Coordinated Vulnerability Disclosure (CVD) process.

A well established CVD process can lead to quicker response times, cost savings, partnerships with the security community and reduce reputation and security risk.

Possible solution design or implementation

A CVD procedure should encompass a couple of processes:

• A process for external parties to report a CVD
• A process internally for the team to receive CVDs
• A process for handling CVDs

Additional context

A CVD process has already been put up for review here

This process utilizes GitHub's private vulnerability disclosure feature, streamlining the reporting experience. By providing a SECURITY.md file and setting up a security policy, a new issue option called Report a vulnerability appears when creating a new issue. This option directs users to the security advisory, where they can report a security vulnerability with ease.

[Fulviuus]

@ZER0 @autholykos I think this is a great idea. Shall we enable this functionality to all our repos?