chain-registry icon indicating copy to clipboard operation
chain-registry copied to clipboard

Published 20 hours ago verified publisher icon cosmos

proposal: chain.json: add optional "security_email" contact value at the top level

Open odeke-em opened this issue 3 years ago • 4 comments

In order for us to scalably perform security incident response management, we need to be able to inform chains of when there are vulnerabilities and the remedies that we are applying to these. It would perhaps be useful if there were some sort of field to allow reaching security teams.

What do y'all think? Kindly cc-ing @ebuchman @marbar3778 et al.

odeke-em avatar Apr 22 '22 22:04 odeke-em

Email and DNS are centralized communication systems that some chains use and some chains do not use. What we found useful as a common denominator is an URL to a SECURITY.md in which each chain defines its perferred security communication channels.

Some examples from https://github.com/CosmWasm/advisories#notification-list: Juno: Discord; Nym: Discord; Provenance: Email; Secret Network: Discord; Stargaze: Email.

webmaster128 avatar Apr 23 '22 08:04 webmaster128

I tend to use telegram for these things if not signal. The email can be monitored by people we don't want to share the info with. Ideally we create an internal list of ways to contact people and go from there. We can add it here if people want but we shouldn't use it as a source of truth

tac0turtle avatar Apr 23 '22 09:04 tac0turtle

I'm into the idea of referring to SECURITY.md

nooomski avatar Apr 25 '22 18:04 nooomski

Ideally we would avoid individuals where possible and use a methodology of targeting a stakeholder group for a respective chain, the method of delivery is less important than just having documentation of any point of contact, if we have nothing then we have to go digging, in the case of IR, time is money. Looking at past incidents a number of chains have internal addresses, which is just industry standard to create something akin to a Distribution List and have that detailed as the contact and that can even be made more granular. Taking Telegram/Signal, a larger contact group could also have child members with this info.

Conversely, a centralized publishing body such as the Cosmos forum or Discord(s), etc could be utilized but that would take a community agreement to self-monitor, which is much harder to guarantee due diligence and risk responsibility

BlueTDeadly avatar May 02 '22 21:05 BlueTDeadly