Skip to content

Latest commit

 

History

History
73 lines (53 loc) · 3.37 KB

SECURITY.md

File metadata and controls

73 lines (53 loc) · 3.37 KB

Security Policy

  1. Reporting security problems
  2. Security Bug Bounties
  3. Scope
  4. Incident Response Process

Reporting security problems in the Lumos Program Library

DO NOT CREATE A GITHUB ISSUE to report a security problem.

Instead please use this Report a Vulnerability link. Provide a helpful title and detailed description of the problem.

If you haven't done so already, please enable two-factor auth in your GitHub account.

Expect a response as fast as possible in the advisory, typically within 72 hours.

--

If you do not receive a response in the advisory, send an email to security@lumos.com with the full URL of the advisory you have created. DO NOT include attachments or provide detail sufficient for exploitation regarding the security issue in this email. Only provide such details in the advisory.

If you do not receive a response from security@lumos.com please followup with the team directly. You can do this in the #core-technology channel of the Lumos Tech discord server, by pinging the admins in the channel and referencing the fact that you submitted a security problem.

Security Bug Bounties

The Lumos Foundation offer bounties for critical Lumos security issues. Please see the Lumos Security Bug Bounties for details on classes of bugs and payment amounts.

Scope

Only a subset of programs within the Lumos Program Library repo are deployed to the Lumos Mainnet Beta. Currently, this includes:

If you discover a critical security issue in an out-of-scope program, your finding may still be valuable.

Many programs, including token-swap and token-lending, have been forked and deployed by prominent ecosystem projects, many of which have their own bug bounty programs.

While we cannot guarantee a bounty from another entity, we can help determine who may be affected and put you in touch with the corresponding teams.

Incident Response Process

In case an incident is discovered or reported, the Lumos Security Incident Response Process will be followed to contain, respond and remediate.