vergecurrency / vergecurrency.com

https://VergeCurrency.com - Official Site of Verge Currency ($XVG) :globe_with_meridians:
MIT License
107 stars 155 forks source link

Verge-CSIRT #253

Closed brianerdelyi closed 6 years ago

brianerdelyi commented 6 years ago

To help grow confidence in Verge and XVG, I think it would be helpful to establish a Verge computer security incident response team (CSIRT) based on RFC 2350.

In addition to reactice support, there is other support that can be provided such as publishing security related articles and guidance to the verge community. In fact, we can help provide security leadership to the crypto coin community as a whole.

justinvforvendetta commented 6 years ago

you should contact coinpouch lol

brianerdelyi commented 6 years ago

Ouch! :)

Seriously though, I've established these teams with many financial institutions. Not only does it help show a commitment to security, it can help reduce the impact of security incidents, identify vulnerabilities and build confidence in Verge/XVG.

justinvforvendetta commented 6 years ago

yeah thats a great idea

brianerdelyi commented 6 years ago

There's a few ways to get started...

  1. Discuss in a bit more detail privately. We should discuss the charter and such.
  2. A /security page on the site
  3. security@ email address to help with community communication
  4. Access to submit posts on the blog
ekryski commented 6 years ago

I 100% agree. This is really important. We did the same thing with Feathers. https://docs.feathersjs.com/SECURITY.html.

Setting up on https://www.hackerone.com/ might also be a good idea too.

brianerdelyi commented 6 years ago

Now you're getting it :). I'm a big fan of bug bounties as well. I'm looking forward to getting this going.

Don't just think users or community reporting issues to us... it's also a way for us to share good practices, advisories and more with others. I think a risk assessment could also help guide some of the work we all do with Verge.

brianerdelyi commented 6 years ago

Who runs the website?

ekryski commented 6 years ago

It's open source. Everyone does. It's hosted from Github here.

brianerdelyi commented 6 years ago

Ok, so I see it's not a traditional CMS like Wordpress. I'll have to see how pages are added and modified.

  1. Who is responsible for domain name and DNS?
  2. Who approves changes to source code in GitHub?
ekryski commented 6 years ago

@justinvforvendetta as far as I know. Not sure who else.

brianerdelyi commented 6 years ago

Thanks. In the meantime, I'm getting up to speed on GitHub Pages and Markdown. I'm drafting an initial landing page for /security to outline the purpose of the team.

What "assets" does Verge have that they feel need to be protected? I'm thinking the following:

Thoughts?

MRSMILEUS commented 6 years ago

How does someone join the security team?

brianerdelyi commented 6 years ago

Thanks Mr. Smile. I'm creating the initial page with charter. Give me a few days to submit this to the team to let them review before it can be merged into the site and get an email. In the meantime, are you able to private message me via GitHub?

I expect the main activities will be receiving reports of potential security issues/incidents. We need to decide what level of help we'll provide to users... I'd want to avoid how-to support. Regardless, we'll get an idea what type of questions/concerns there are and can publish how-to articles. I'd really like help with this.

Reports of vulnerabilities will be rare, but we may want a private channel to share with developers (TBD). Once we have a solution, we can publish advisories.

MRSMILEUS commented 6 years ago

Brian i can't seem to see the option to DM you.

brianerdelyi commented 6 years ago

You can send me an email, Brian.Erdelyi@gmail.com

MRSMILEUS commented 6 years ago

Emailed you. Anyone else interested?

On Jan 6, 2018, at 9:47 PM, Brian Erdelyi notifications@github.com wrote:

You can send me an email, Brian.Erdelyi@gmail.com

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

brianerdelyi commented 6 years ago

Created charter and submitted pull request #257 . Pending feedback.

linux152 commented 6 years ago

I'm willing to contribute. I work for a global company as a Sr. Systems Engineer (Linux/Redhat/Centos). I've got some programming skills Perl/PHP/Bash. My expertise is in Ddos/Cybersecurity.

brianerdelyi commented 6 years ago

Excellent! Can we connect by linkedIn?

linux152 commented 6 years ago

https://www.linkedin.com/in/philipheady/

justinvforvendetta commented 6 years ago

@datatrustgroup you went to umass amherst? haha i've been there before.. lived in andover for a while and worked in lowell.

linux152 commented 6 years ago

Ya, "Zoo-Mass" and they used to call it 1988-1992.

DomCrogan commented 6 years ago

Hey, I'm currently a student in Computing and although I haven't got much experience would love to learn more and help out wherever I can. I doubt you would need someone like me but thought I'd mention it as the experience would definitely be beneficial for me.

brianerdelyi commented 6 years ago

Hi Dom! Thanks for the support. I'm waiting for the Verge-CSIRT email to be created and the charter to be published. Feel free to email or connect with me by LinkedIn.

MRSMILEUS commented 6 years ago

Is justin looking into that?

On Jan 9, 2018, at 1:08 PM, Brian Erdelyi notifications@github.com wrote:

Hi Dom! Thanks for the support. I'm waiting for the Verge-CSIRT email to be created and the charter to be published. Feel free to email or connect with me by LinkedIn.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

brianerdelyi commented 6 years ago

@justinvforvendetta is aware of the thread and I assume the pull request and email request. We will need to wait for feedback.

MRSMILEUS commented 6 years ago

Ok perfect. Yeh I think his busy with the new wallet builds for now

On Jan 9, 2018, at 1:27 PM, Brian Erdelyi notifications@github.com wrote:

@justinvforvendetta is aware of the thread and I assume the pull request and email request. We will need to wait for feedback.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.