The current master and only the latest agoric-upgrade-* tagged release and pre-release are supported with security updates.

At Agoric, we believe that strong security requires strong collaboration with security researchers. If you believe that you have found a security bug in our code, we encourage you to report it. To report a bug, you can:

• Submit a report to the Agoric HackerOne vulnerability rewards program, where it may be eligible for a reward.

• Send an email to security@agoric.com.

• It is important to be able to provide steps that reproduce the issue and demonstrate its impact with a Proof of Concept example in an initial bug report. Before reporting a bug, a reporter may want to have another trusted individual reproduce the issue.

• A bug reporter can expect acknowledgment of a potential vulnerability reported through security@agoric.com within one business day of submitting a report. If an acknowledgement of an issue is not received within this time frame, especially during a weekend or holiday period, please reach out again. Any issues reported to the HackerOne program will be acknowledged within the time frames posted on the program page.

  • The bug triage team and Agoric code maintainers are primarily located in the San Francisco Bay Area with business hours in Pacific Time .

• For the safety and security of those who depend on the code, bug reporters should avoid publicly sharing the details of a security bug on Twitter, Discord, Telegram, or in public Github issues during the coordination process.

• Once a vulnerability report has been received and triaged:

  • Agoric code maintainers will confirm whether it is valid, and will provide updates to the reporter on validity of the report.
  • It may take up to 72 hours for an issue to be validated, especially if reported during holidays or on weekends.

• When the Agoric team has verified an issue, remediation steps and patch release timeline information will be shared with the reporter.

  • Complexity, severity, impact, and likelihood of exploitation are all vital factors that determine the amount of time required to remediate an issue and distribute a software patch.
  • If an issue is Critical or High Severity, Agoric code maintainers will release a security advisory to notify impacted parties to prepare for an emergency patch.
  • While the current industry standard for vulnerability coordination resolution is 90 days, Agoric code maintainers will strive to release a patch as quickly as possible.

When a bug patch is included in a software release, the Agoric code maintainers will: * Confirm the version and date of the software release with the reporter. * Provide information about the security issue that the software release resolves. * Credit the bug reporter for discovery by adding thanks in release notes, securing a CVE designation, or adding the researcher’s name to a Hall of Fame.