From 89624441ec46714f19ea14491a0c4a47d130a15c Mon Sep 17 00:00:00 2001 From: Kevin Froman Date: Tue, 11 Jun 2019 20:49:02 -0500 Subject: [PATCH] Create SECURITY.md --- SECURITY.md | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..ce612cca --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,37 @@ +# Security Policy + +# Scope + +The Onionr software and any nodes you control are within scope. + +Avoid social engineering, volume-based denial of service and disrupting or harming the Onionr network. Do not attempt to exploit any machines/servers you do not own or otherwise have permission to do so. + +The following exploits are of particular interest: + +* Arbitrary code execution +* API authentication bypass (such as accessing local API from public interface) +* Deanonymization: + * Easily associating public keys with server addresses + * Discovering true server IPs when behind Tor/I2P (aside from Tor/i2p-level attacks) + * Easily discovering which nodes are the block creator +* XSS, CSRF, clickjacking +* Timing attacks against the local http server ([see blog post](https://www.chaoswebs.net/blog/timebleed-breaking-privacy-with-a-simple-timing-attack.html)) +* Discovering direct connection servers as a non participant. +* Cryptography/protocol issues +* Denying nodes access to the network by segmenting them out with Sybil nodes + +We do not consider non-network based same-machine attacks to be very significant, but we are still willing to listen. + +# Rewards + +Onionr is a student-owned hobby project, resources are not available for large rewards. + +Stickers or other reasonable & negotiable rewards are available. We reserve the right to refuse rewards for any reason. + +Public recognition can be given upon request. + +# Contact + +Email: beardog [ at ] mailbox.org + +PGP (optional): F61A 4DBB 0B3D F172 1F65 0EDF 0D41 4D0F E405 B63B