misaradmin/synor
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 4
synor/SECURITY.md
Gulshan Yadav 1606776394 feat: Phase 7 critical tasks - security, formal verification, WASM crypto 
## Formal Verification
- Add TLA+ specs for UTXO conservation (formal/tla/UTXOConservation.tla)
- Add TLA+ specs for GHOSTDAG ordering (formal/tla/GHOSTDAGOrdering.tla)
- Add mathematical proof of DAA convergence (formal/proofs/)
- Document Kani verification approach (formal/kani/)

## Bug Bounty Program
- Add SECURITY.md with vulnerability disclosure process
- Add docs/BUG_BOUNTY.md with $500-$100,000 reward tiers
- Define scope, rules, and response SLA

## Web Wallet Dilithium3 WASM Integration
- Build WASM module via Docker (498KB optimized)
- Add wasm-crypto.ts lazy loader for Dilithium3
- Add createHybridSignatureLocal() for full client-side signing
- Add createHybridSignatureSmart() for auto-mode selection
- Add Dockerfile.wasm and build scripts

## Security Review ($0 Approach)
- Add .github/workflows/security.yml CI workflow
- Add deny.toml for cargo-deny license/security checks
- Add Dockerfile.security for audit container
- Add scripts/security-audit.sh for local audits
- Configure cargo-audit, cargo-deny, cargo-geiger, gitleaks
2026-01-10 01:40:03 +05:30

2.2 KiB
Raw Permalink Blame History

Security Policy

Supported Versions

Version Supported
0.1.x
< 0.1

Reporting a Vulnerability

DO NOT create a public GitHub issue for security vulnerabilities.

Bug Bounty Program

For vulnerabilities in scope of our bug bounty program, please report via:

Immunefi (Preferred)

Rewards range from $500 to $100,000 depending on severity.

See docs/BUG_BOUNTY.md for full program details.

Direct Reporting

For issues not suitable for the bug bounty program:

Email: security@synor.cc

Include:

  • Description of the vulnerability
  • Steps to reproduce
  • Impact assessment
  • Your contact information

PGP Key

For encrypted communication:

-----BEGIN PGP PUBLIC KEY BLOCK-----
[Key will be added when available]
-----END PGP PUBLIC KEY BLOCK-----

Response Timeline

Action Timeframe
Acknowledgment 24 hours
Initial assessment 72 hours
Status update Weekly
Fix release Depends on severity

Security Best Practices

When running a Synor node:

  1. Keep updated - Always run the latest stable version
  2. Secure RPC - Don't expose RPC to public internet without authentication
  3. Firewall - Only allow necessary ports (17511 P2P, 17110 RPC)
  4. Backups - Regularly backup your wallet and node data
  5. Keys - Never share private keys or seed phrases

Known Security Audits

Date Auditor Scope Report
Pending TBD Full Protocol TBD

Disclosure Policy

We follow responsible disclosure:

  1. Reporter notifies us privately
  2. We acknowledge and assess
  3. We develop and test a fix
  4. Fix is deployed
  5. Public disclosure after 30 days (or sooner if coordinated)

Security Advisories

Security advisories will be published at:

Hall of Fame

We thank the following researchers for responsible disclosure:

No reports yet - be the first!