misaradmin/synor
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 4
synor/SECURITY.md
Gulshan Yadav 1606776394 feat: Phase 7 critical tasks - security, formal verification, WASM crypto 
## Formal Verification
- Add TLA+ specs for UTXO conservation (formal/tla/UTXOConservation.tla)
- Add TLA+ specs for GHOSTDAG ordering (formal/tla/GHOSTDAGOrdering.tla)
- Add mathematical proof of DAA convergence (formal/proofs/)
- Document Kani verification approach (formal/kani/)

## Bug Bounty Program
- Add SECURITY.md with vulnerability disclosure process
- Add docs/BUG_BOUNTY.md with $500-$100,000 reward tiers
- Define scope, rules, and response SLA

## Web Wallet Dilithium3 WASM Integration
- Build WASM module via Docker (498KB optimized)
- Add wasm-crypto.ts lazy loader for Dilithium3
- Add createHybridSignatureLocal() for full client-side signing
- Add createHybridSignatureSmart() for auto-mode selection
- Add Dockerfile.wasm and build scripts

## Security Review ($0 Approach)
- Add .github/workflows/security.yml CI workflow
- Add deny.toml for cargo-deny license/security checks
- Add Dockerfile.security for audit container
- Add scripts/security-audit.sh for local audits
- Configure cargo-audit, cargo-deny, cargo-geiger, gitleaks
2026-01-10 01:40:03 +05:30

92 lines
2.2 KiB
Markdown
Raw Blame History

# Security Policy
## Supported Versions
| Version | Supported |
| ------- | ------------------ |
| 0.1.x | :white_check_mark: |
| < 0.1 | :x: |
## Reporting a Vulnerability
**DO NOT** create a public GitHub issue for security vulnerabilities.
### Bug Bounty Program
For vulnerabilities in scope of our bug bounty program, please report via:
**[Immunefi](https://immunefi.com/bounty/synor)** (Preferred)
Rewards range from $500 to $100,000 depending on severity.
See [docs/BUG_BOUNTY.md](docs/BUG_BOUNTY.md) for full program details.
### Direct Reporting
For issues not suitable for the bug bounty program:
**Email:** security@synor.cc
Include:
- Description of the vulnerability
- Steps to reproduce
- Impact assessment
- Your contact information
### PGP Key
For encrypted communication:
```
-----BEGIN PGP PUBLIC KEY BLOCK-----
[Key will be added when available]
-----END PGP PUBLIC KEY BLOCK-----
```
## Response Timeline
| Action | Timeframe |
|--------|-----------|
| Acknowledgment | 24 hours |
| Initial assessment | 72 hours |
| Status update | Weekly |
| Fix release | Depends on severity |
## Security Best Practices
When running a Synor node:
1. **Keep updated** - Always run the latest stable version
2. **Secure RPC** - Don't expose RPC to public internet without authentication
3. **Firewall** - Only allow necessary ports (17511 P2P, 17110 RPC)
4. **Backups** - Regularly backup your wallet and node data
5. **Keys** - Never share private keys or seed phrases
## Known Security Audits
| Date | Auditor | Scope | Report |
|------|---------|-------|--------|
| *Pending* | *TBD* | Full Protocol | *TBD* |
## Disclosure Policy
We follow responsible disclosure:
1. Reporter notifies us privately
2. We acknowledge and assess
3. We develop and test a fix
4. Fix is deployed
5. Public disclosure after 30 days (or sooner if coordinated)
## Security Advisories
Security advisories will be published at:
- [GitHub Security Advisories](https://github.com/synor/synor/security/advisories)
- [Blog](https://synor.cc/blog)
- [Discord](https://discord.gg/synor) #announcements
## Hall of Fame
We thank the following researchers for responsible disclosure:
*No reports yet - be the first!*
Reference in a new issue View git blame Copy permalink