Contributing
Security Reporting
Responsible disclosure policy and security vulnerability reporting for Burning Ash Protocol.
Security Reporting
We take security seriously. This guide covers reporting vulnerabilities responsibly.
Responsible Disclosure
Our Commitment
- We respond quickly to security reports
- We don't pursue researchers who follow guidelines
- We credit researchers (with permission)
Timeline
| Phase | Target |
|---|---|
| Initial Response | 24-48 hours |
| Severity Assessment | 3-5 days |
| Fix Timeline | Based on severity |
What to Report
In Scope
- Authentication bypass
- Authorization flaws
- Data exposure
- Cryptographic weaknesses
- Injection attacks
- Service disruption
Out of Scope
- Social engineering
- Physical security
- Denial of service (basic)
- Issues in third-party dependencies
How to Report
Contact
Email: [email protected]
Format
Subject: [SECURITY] Brief Description
Vulnerability Type:
Severity (Critical/High/Medium/Low):
Affected Component:
Steps to Reproduce:
Impact:
Suggested Fix (optional):Example
Subject: [SECURITY] SQL Injection in /api/will
Vulnerability Type: SQL Injection
Severity: Critical
Affected Component: api/internal/handler/will.go
Steps to Reproduce:
1. POST /api/will/upload
2. Inject SQL in filename parameter
Impact: Database compromiseWhat Not to Do
- Don't exploit the vulnerability
- Don't access other user data
- Don't modify systems
- Don't share with third parties
- Don't publish without coordination
What Happens Next
- Acknowledge - We confirm receipt
- Assess - We determine severity
- Fix - We develop and test
- Release - We publish fix
- Credit - We acknowledge researcher
Severity Levels
Critical (P0)
- Data breach
- Account takeover
- Full system compromise
Fix Timeline: 24-48 hours (workaround), 7 days (fix)
High (P1)
- Partial data exposure
- Authentication bypass
- Privilege escalation
Fix Timeline: 7 days (workaround), 14 days (fix)
Medium (P2)
- Limited impact
- Requires specific conditions
- Moderate data exposure
Fix Timeline: 30 days
Low (P3)
- Minimal impact
- Difficult to exploit
- Informational
Fix Timeline: Next release
Security Updates
Release Notes
Security fixes documented in:
- GitHub releases
- CHANGELOG.md
Credit
With permission, we credit researchers:
- Name in release notes
- Thanks in documentation
Example:
Thanks to Jane Doe for reporting this issue.Bug Bounty
Currently no bug bounty program. We appreciate responsible disclosure.
Secure Coding
See Code Style for security guidelines.
Encryption
BAP uses:
- AES-256-GCM for documents
- Argon2id for passwords
- HKDF for key derivation
- Shamir's Secret Sharing
Contact
Security issues only: [email protected]
General issues: GitHub Issues
Next Steps
- Code Style — Secure coding
- Pull Requests — Contribution workflow
- Development Setup — Local setup