Create SECURITY.md

2019-06-11 20:49:02 -05:00 · 2019-06-11 20:49:02 -05:00 · 89624441ec
parent bc75211bb1
commit 89624441ec
1 changed files with 37 additions and 0 deletions
--- a/SECURITY.md
+++ b/SECURITY.md
@ -0,0 +1,37 @@
+# Security Policy
+
+# Scope
+
+The Onionr software and any nodes you control are within scope.
+
+Avoid social engineering, volume-based denial of service and disrupting or harming the Onionr network. Do not attempt to exploit any machines/servers you do not own or otherwise have permission to do so.
+
+The following exploits are of particular interest:
+
+* Arbitrary code execution
+* API authentication bypass (such as accessing local API from public interface)
+* Deanonymization:
+  * Easily associating public keys with server addresses
+  * Discovering true server IPs when behind Tor/I2P (aside from Tor/i2p-level attacks)
+  * Easily discovering which nodes are the block creator
+* XSS, CSRF, clickjacking
+* Timing attacks against the local http server ([see blog post](https://www.chaoswebs.net/blog/timebleed-breaking-privacy-with-a-simple-timing-attack.html))
+* Discovering direct connection servers as a non participant.
+* Cryptography/protocol issues
+* Denying nodes access to the network by segmenting them out with Sybil nodes
+
+We do not consider non-network based same-machine attacks to be very significant, but we are still willing to listen.
+
+# Rewards
+
+Onionr is a student-owned hobby project, resources are not available for large rewards.
+
+Stickers or other reasonable & negotiable rewards are available. We reserve the right to refuse rewards for any reason.
+
+Public recognition can be given upon request.
+
+# Contact
+
+Email: beardog [ at ] mailbox.org
+
+PGP (optional): F61A 4DBB 0B3D F172 1F65  0EDF 0D41 4D0F E405 B63B