Found Security program

[yangwao]

Security program

• what should be bounties for funding security risks? Do Treasury cover payments?
• Should be hired upfront audit company?
• Do you know someone who can help us on-demand basis, whenever we will introduce new features, write ink! or ask! code for smart contracts?

Reasoning: As we've left out some un-used 📦 in our code and some security experts thoughts are a high-risk issues, where Textile wasn't used for anything critical anymore, since we implemented Subquery - #535, #533 - Twitter

Meanwhile, we've got an A grade on headers

[x676f64]

You will want to have an internal discussion about methods for incentivizing security researchers to take part in your bug bounty program. I would also suggest creating a responsible disclosure program in conjunction with your bug bounty program to create a pathway for reporting vulnerabilities securely. You can look to Parity to see what they have done in this space.

https://www.parity.io/bug-bounty/ https://github.com/paritytech/substrate/blob/master/docs/SECURITY.md

I also highly recommend implementing a security.txt record on your KodaDot properties: https://securitytxt.org/

Regarding item #2, I would definitely recommend integrating regular source code reviews, security audits, and penetration tests into your CI/CD pipeline as features and functions are added or removed from the Kodadot codebase. How often you do those is up to you of course.

[yangwao]

You will want to have an internal discussion about methods for incentivizing security researchers to take part in your bug bounty program. I would also suggest creating a responsible disclosure program in conjunction with your bug bounty program to create a pathway for reporting vulnerabilities securely. You can look to Parity to see what they have done in this space.

https://www.parity.io/bug-bounty/ https://github.com/paritytech/substrate/blob/master/docs/SECURITY.md

We will crack on that in upcoming Meta_hours_4 https://github.com/kodadot/nft-gallery/discussions/2007

I also highly recommend implementing a security.txt record on your KodaDot properties: https://securitytxt.org/

https://github.com/kodadot/nft-gallery/issues/2089 yes we will nail it down soon

Regarding item #2, I would definitely recommend integrating regular source code reviews, security audits, and penetration tests into your CI/CD pipeline as features and functions are added or removed from the Kodadot codebase. How often you do those is up to you of course.

1858 will be there

We will be posted on the https://www.huntr.dev/ to drive more security researchers.

[yangwao]

huntr.dev is over capacity what I received response.

Any good other hints?

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had activity in last 720 days. It will be closed in 120 days if no further activity occurs. Please @kodadot/internal feel free to leave a comment if you believe the issue is still relevant. Thank you for your contributions!