Improving the substrate/ecosystem vulnerabilities disclosure

Tech Talk
18

Hi all thanks for inputs, before talking about using Discourse or other tools which may be useful, happy to share the approach Parity has deployed and shared with the parachains.

Context

When a vulnerability is identified within Polkadot Ecosystem, what is the approach to follow about its disclosure within Parity, with the parachains, more widely to the Ecosystem

Situation

  1. Vulnerability can be discovered by multiple different channels
  • Internally
    • A employee/contractor
    • By a security provider mandated to perform a review
  • Externally
    • A hacker directly via BugBounty
    • Via Parachains: directly or via their BugBounty scheme or auditors/pentesters
    • Via ecosystem
  1. The fix to a vulnerability can take a certain amount of effort and time to be identified
  2. Deployment of a fix can take a certain time to be rollout
  3. From a risk perspective, longer a vulnerability exist and more people are aware more the likelihood of exploitation exists

Approach

  • In case Parity is made aware of a vulnerability which may impact the ecosystem, it is communicated with the following approach. Same reciprocal approach has been discussed with the parachains to be consistent.
  • When
    • If it is critical and Parity is not able to have it address within 5 days
    • If it is high and Parity is not able to have it address within 20 days
  • To whom
    • To the parachains ONLY to balance opportunity to have partnership to fix it and for parachains to deploy mitigation and in parallel to limit number of people informed who may potentially leverage the vulnerability to perform bad activities
      • When a Security audit firm is initially involved they may be part of the remedial discussion
      • The dedicated Vulnerability Disclosure Matrix channels (Polkadot and Kusama) are used to sync/inform with the different parties
    • NO larger communication to the community or more widely will be done, outside of exceptional situations which will be reviewed on an ad-hoc basis.
    • When the fix/mitigation is deployed by the Parachains and Parity, a global communication via a Post in the Forum

Reference

  • A guidance Vulnerability Disclosure template has been create to help capture key informations
  • A specific public index to track the history and full list of vulnerabilities is being created to facilitate access to everyone including new joiners to the community
2 Likes