Closed brianerdelyi closed 6 years ago
you should contact coinpouch lol
Ouch! :)
Seriously though, I've established these teams with many financial institutions. Not only does it help show a commitment to security, it can help reduce the impact of security incidents, identify vulnerabilities and build confidence in Verge/XVG.
yeah thats a great idea
There's a few ways to get started...
I 100% agree. This is really important. We did the same thing with Feathers. https://docs.feathersjs.com/SECURITY.html.
Setting up on https://www.hackerone.com/ might also be a good idea too.
Now you're getting it :). I'm a big fan of bug bounties as well. I'm looking forward to getting this going.
Don't just think users or community reporting issues to us... it's also a way for us to share good practices, advisories and more with others. I think a risk assessment could also help guide some of the work we all do with Verge.
Who runs the website?
It's open source. Everyone does. It's hosted from Github here.
Ok, so I see it's not a traditional CMS like Wordpress. I'll have to see how pages are added and modified.
@justinvforvendetta as far as I know. Not sure who else.
Thanks. In the meantime, I'm getting up to speed on GitHub Pages and Markdown. I'm drafting an initial landing page for /security to outline the purpose of the team.
What "assets" does Verge have that they feel need to be protected? I'm thinking the following:
Thoughts?
How does someone join the security team?
Thanks Mr. Smile. I'm creating the initial page with charter. Give me a few days to submit this to the team to let them review before it can be merged into the site and get an email. In the meantime, are you able to private message me via GitHub?
I expect the main activities will be receiving reports of potential security issues/incidents. We need to decide what level of help we'll provide to users... I'd want to avoid how-to support. Regardless, we'll get an idea what type of questions/concerns there are and can publish how-to articles. I'd really like help with this.
Reports of vulnerabilities will be rare, but we may want a private channel to share with developers (TBD). Once we have a solution, we can publish advisories.
Brian i can't seem to see the option to DM you.
You can send me an email, Brian.Erdelyi@gmail.com
Emailed you. Anyone else interested?
On Jan 6, 2018, at 9:47 PM, Brian Erdelyi notifications@github.com wrote:
You can send me an email, Brian.Erdelyi@gmail.com
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.
Created charter and submitted pull request #257 . Pending feedback.
I'm willing to contribute. I work for a global company as a Sr. Systems Engineer (Linux/Redhat/Centos). I've got some programming skills Perl/PHP/Bash. My expertise is in Ddos/Cybersecurity.
Excellent! Can we connect by linkedIn?
@datatrustgroup you went to umass amherst? haha i've been there before.. lived in andover for a while and worked in lowell.
Ya, "Zoo-Mass" and they used to call it 1988-1992.
Hey, I'm currently a student in Computing and although I haven't got much experience would love to learn more and help out wherever I can. I doubt you would need someone like me but thought I'd mention it as the experience would definitely be beneficial for me.
Hi Dom! Thanks for the support. I'm waiting for the Verge-CSIRT email to be created and the charter to be published. Feel free to email or connect with me by LinkedIn.
Is justin looking into that?
On Jan 9, 2018, at 1:08 PM, Brian Erdelyi notifications@github.com wrote:
Hi Dom! Thanks for the support. I'm waiting for the Verge-CSIRT email to be created and the charter to be published. Feel free to email or connect with me by LinkedIn.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.
@justinvforvendetta is aware of the thread and I assume the pull request and email request. We will need to wait for feedback.
Ok perfect. Yeh I think his busy with the new wallet builds for now
On Jan 9, 2018, at 1:27 PM, Brian Erdelyi notifications@github.com wrote:
@justinvforvendetta is aware of the thread and I assume the pull request and email request. We will need to wait for feedback.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.
To help grow confidence in Verge and XVG, I think it would be helpful to establish a Verge computer security incident response team (CSIRT) based on RFC 2350.
In addition to reactice support, there is other support that can be provided such as publishing security related articles and guidance to the verge community. In fact, we can help provide security leadership to the crypto coin community as a whole.