Danny Morabito
45e6003d41
🔧 Replace legacy system with NIP-BB implementation 🚀 Enhance forum user experience with improved navigation and interactions 🎨 Redesign UI for forum 🏷️ Rebrand from "Phora" to "Arbor"
3.9 KiB
SECURITY
Security Policy for EVE
We take security seriously. We appreciate the community's efforts in identifying and responsibly disclosing potential security vulnerabilities.
Reporting a Vulnerability
If you believe you've found a security vulnerability in EVE, please report it to us privately using one of these methods:
Option 1: Encrypted Nostr DM
Send a NIP-44 encrypted direct message to:
npub1ven4zk8xxw873876gx8y9g9l9fazkye9qnwnglcptgvfwxmygscqsxddfh
Option 2: Email with PGP Encryption
Send an encrypted email to danny@arx-ccn.com using the following PGP key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
xjMEZVPfuBYJKwYBBAHaRw8BAQdA4zXdIpn1sxtUekC5KNUZB4ooaTTdE+7WfIL6
m3DV/dzNIkRhbm55IE1vcmFiaXRvIDxkYW5ueUBhcngtY2NuLmNvbT7CjwQTFggA
NxYhBPl51bOOAki9ZNroKXzIBWpaBFV+BQJlU9+4BQkFo5qAAhsDBAsJCAcFFQgJ
CgsFFgIDAQAACgkQfMgFaloEVX5prgEAtIckL9dtUrqBvkMD3b/qJLiDtEK1u9iU
/1LlDexi0hABAK3uKIVyPqxJKQ5jOAFb0bta9QexBsfTbzZLSbrZR4UDzjgEZVPf
uBIKKwYBBAGXVQEFAQEHQNFXMjAbVS5dQQ17EHM39VvvF3HKeqBoq0peKIYSpjs3
AwEIB8J+BBgWCAAmFiEE+XnVs44CSL1k2ugpfMgFaloEVX4FAmVT37gFCQWjmoAC
GwwACgkQfMgFaloEVX7VIAEA0pT6Ih7XTym0VNEndQw8Fytfn97JT13N+S9CumpO
qQEBALEPtcimm4t7RZDlZCk0I/V/4eLnPf94w8MCDOKae3wG
=K8X3
-----END PGP PUBLIC KEY BLOCK-----
What to Include in Your Report
Please include the following information in your vulnerability report:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested mitigations (if applicable)
- Whether you'd like to be credited for the discovery
Vulnerability Severity Classification
We classify vulnerabilities according to the following severity levels:
| Severity | Description |
|---|---|
| Critical | Vulnerabilities that can lead to system compromise, unauthorized access to CCN data, or significant service disruption |
| High | Vulnerabilities that can lead to partial service disruption |
| Medium | Vulnerabilities that may expose non-sensitive information or affect functionality in a limited way |
| Low | Minor issues with minimal security impact |
Please include your assessment of the severity in your report.
Responsible Disclosure Policy
- We will acknowledge receipt of your vulnerability report within 72 hours.
- We will provide an initial assessment of the report within 7 days.
- We will work diligently to verify and address the reported issue, prioritizing based on severity.
- We request that you do not publicly disclose the vulnerability until we've had adequate time to address it.
- After 60 days from acknowledgment, if we haven't addressed the issue, you may disclose it publicly.
Scope
This security policy applies to the following official EVE repositories and components:
- Main EVE application: https://git.arx-ccn.com/Arx/Eve
- EVE Relay: https://git.arx-ccn.com/Arx/Eve-Relay
- All published Arxlets (Arbor, Nexus, etc.)
Out of Scope
- Third-party integrations not maintained by the Arx team
- Community forks not officially supported by the Arx team
- Issues already publicly disclosed or previously reported
Security Updates
Security updates will be released as soon as possible after verification and remediation, with priority given to Critical and High severity issues. We will provide information about the vulnerability and the fix in release notes.
Recognition
We believe in recognizing the valuable contributions of security researchers. With your permission, we will acknowledge your contribution in our release notes and CONTRIBUTORS.md file.
Thank you for helping keep EVE and its users secure!