diff options
| author | Neal H. Walfield <neal@sequoia-pgp.org> | 2024-04-17 10:45:27 +0200 |
|---|---|---|
| committer | Neal H. Walfield <neal@sequoia-pgp.org> | 2024-04-17 10:47:03 +0200 |
| commit | 2f26db35d48086894eb7b33e6de8a1177cc12be5 (patch) | |
| tree | 37aebef89dfa669beff126c10dff05330ad5928a | |
| parent | 83860faa021ad1bdc3ebb1a8b0deec651c0b5e46 (diff) | |
doc: Mention the bug bounty program.
- Mention the bug bounty program in the security vulnerabilities
guide.
- Link to the security vulnerabilities guide from the main readme.
| -rw-r--r-- | README.md | 11 | ||||
| -rw-r--r-- | doc/security-vulnerabilities.md | 15 |
2 files changed, 19 insertions, 7 deletions
@@ -322,12 +322,9 @@ You can talk to us using IRC on [OFTC](https://www.oftc.net/) in `#sequoia`. Reporting bugs ============== -Please report bug and feature requests to [our bugtracker]. Please -report security vulnerabilities to [security@sequoia-pgp.org], -preferably encrypted using OpenPGP. The certificate for this address -can be found on our web site, via WKD, and [on the keyserver]. - +Please report bug and feature requests to [our bugtracker]. If you +find a security vulnerability, please refer to our [security +vulnerability guide]. [our bugtracker]: https://gitlab.com/sequoia-pgp/sequoia/issues - [security@sequoia-pgp.org]: mailto:security@sequoia-pgp.org - [on the keyserver]: https://keys.openpgp.org/search?q=security%40sequoia-pgp.org + [security vulnerability guide]: https://gitlab.com/sequoia-pgp/sequoia/-/blob/main/doc/security-vulnerabilities.md diff --git a/doc/security-vulnerabilities.md b/doc/security-vulnerabilities.md index 7948aa4a..915e7015 100644 --- a/doc/security-vulnerabilities.md +++ b/doc/security-vulnerabilities.md @@ -21,6 +21,21 @@ If someone publishes a security-sensitive issue (including creating a public issue), then it may be necessary to forego responsible disclosure, and publish a fix as soon as possible. +If you responsibly disclose a security vulnerability, you may be +eligible for a reward as part of our [bug bounty program]. The bug +bounty program is hosted by [YesWeHack], and sponsored by the +[Sovereign Tech Fund]’s [Bug Resilience Program]. *We prefer that you +report any issues directly to us* as described above to limit the +number of people who know about it. After we confirm that the +vulnerability is eligible for a reward, you will be paid out via the +YesWeHack platform; you do not need to report the vulnerability via +YesWeHack to be eligible. + + [bug bounty program]: https://yeswehack.com/programs/sequoia-pgp-bug-bounty-program + [YesWeHack]: https://yeswehack.com + [Sovereign Tech Fund]: https://www.sovereigntechfund.de/ + [Bug Resilience Program]: https://www.sovereigntechfund.de/programs/bug-resilience + # Resolution 1. Assess the impact of the issue: |