Policies and Procedures

• Two volunteer developers from each team.
• 12 month commitment.
• Help triage and respond to reports following the responsible disclosure policies and procedures.
• Keep the reporter informed of the status of their report by sending updates at a minimum of one per week.

Responsible Disclosure

• 48 hours to respond to reporter acknowledging the report.
• 1 week to triage, report, and coordinate with the affected project maintainers to plan the fix of the bug.
• 90 days to fix and release a fix or disclose the security bug.
• Any "critical" errors shall be assigned a CVE number and disclosed through the formal CVE system.

Example Acknowledgment Response

Dear <hacker>,

Thank you for your recent report of a security bug. I am emailing to let you know that we are in the process of investigating your report and will reply to you again when we have determined the validity of your report. We may have further questions that come up as part of our investigation. We appreciate your contribution to Hyperledger <project>.

Thank you,

<your name>

Example Update

Dear <hacker>,

I'm emailing to let you know that we have confirmed your bug report as a valid security concern and have filed a bug in our system. We will reply to you again when the status of the bug changes.

Thank you,

<your name>