Add security policy with reporting guidelines#126
Open
loopghost wants to merge 1 commit into
Open
Conversation
Added sections for reporting vulnerabilities, including an alternative private reporting channel for researchers unable to use Immunefi, reward eligibility, coordinated disclosure, and safe harbor in the security policy.
Author
|
cc: @turkycat @coreymartin @zhenlu @keenan-lightspark @lightsparkmax @reverendken @alexjweil Hi all, I have opened this PR to add a SECURITY.md policy that complements the existing Immunefi program and provides an alternative private reporting path for researchers who are unable to access Immunefi. In particular, the policy proposes that valid findings submitted through GitHub Private Vulnerability Reporting (once enabled) be evaluated under the same criteria and reward tiers as the live Immunefi program. I believe this closes an important disclosure gap and makes the repository's security process much clearer and more accessible. Thanks for taking a look. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds a SECURITY.md file that documents:
Why this is useful
While Spark already has an active bug bounty program on Immunefi, adding a SECURITY.md provides a standard, repository-native security policy and ensures that researchers can quickly find the preferred disclosure process directly from the repository.
It also establishes a fallback private reporting path for legitimate researchers who cannot access Immunefi for technical or account-related reasons.
Additional Maintainer Action Required
To enable GitHub's built-in private disclosure workflow referenced in this policy, maintainers will need to enable Private Vulnerability Reporting in the repository settings:
Repository → Settings → Security → Advanced Security → Private vulnerability reporting → Enable
Once enabled, a "Report a vulnerability" button will appear under the Security tab, allowing researchers to submit reports privately through GitHub Security Advisories.
Reward Eligibility
The proposed policy states that valid reports submitted through GitHub Private Vulnerability Reporting should be evaluated under the same criteria and reward tiers as the existing Immunefi program.
Note
Low Risk
Documentation-only change that adds a repository security policy; no code paths or runtime behavior are affected.
Overview
Adds a new
SECURITY.mddocumenting the preferred vulnerability reporting channel (Immunefi) with alternative private reporting options (GitHub private vulnerability reporting or email), plus expectations around reward eligibility parity, coordinated disclosure, and safe-harbor guidelines for good-faith research.Reviewed by Cursor Bugbot for commit 716da75. Bugbot is set up for automated code reviews on this repo. Configure here.