Merge pull request #139 from rsksmart/security-policy

Create security policy file
rsksmart · Jan 22, 2025 · 4e59966 · 4e59966
2 parents aa2cd6e + aced7d2
commit 4e59966
Showing 1 changed file with 27 additions and 0 deletions.
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,27 @@
+# Reporting Security Issues
+
+The Rootstock team and community take security bugs in Rootstock seriously. Beside this project is out of our Bug Bounty Program scope, we appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.
+
+
+## Responsible Disclosure
+
+For all security related issues, we have two main points of contact. Reach us at <[email protected]> or use the GitHub Security Advisory ["Report a Vulnerability"](https://github.com/rsksmart/bitcoinj-thin/security/advisories/new) tab.
+
+The Rootstock team will send a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.
+
+**Ensure the bug was not already reported** by searching on GitHub under [Issues](https://github.com/rsksmart/bitcoinj-thin/issues).
+
+## Vulnerability Handling
+
+### Response Time
+
+RootstockLabs will make a best effort to meet the following response times for reported vulnerabilities:
+
+* Time to first response (from report submit) - 5 business days
+* Time to triage (from report submit) - 7 business days
+
+We’ll try to keep you informed about our progress throughout the process.
+
+### Disclose Policy
+
+Follow our [disclosure guidelines](https://www.rootstocklabs.com/bounty-program/).