Skip to content

Security: kroma-network/zkevm-specs

Security

SECURITY.md

Security Policy

How to disclose a vulnerability to us

The wrong way to disclose

The following actions will disqualify you from eligibility for a reward:

  1. Filing a public ticket mentioning the vulnerability
  2. Testing the vulnerability on the mainnet or testnet

The right way to disclose

If you find any vulnerabilities in our products, please email Lightscale at [email protected]. We appreciate detailed instructions for confirming the vulnerability. We are going to operate a bounty program soon.

How we disclose vulnerabilities

In the event that we learn of a critical security vulnerability, we reserve the right to silently fix it without immediately publicly disclosing the existence of nature of the vulnerability.

In such a scenario we will:

  1. silently fix a vulnerability and include the fix in release X,
  2. after 4-8 weeks, we will disclose that X contained a security-fix,
  3. after an additional 4-8 weeks, we will publish details of the vulnerability.

Alongside this policy, we also reserve the right to do either of the following:

  • bypass this policy and publish details on a shorter timeline
  • to directly notify a subset of downstream users prior to making a public announcement

This policy is based the Geth team’s silent patch policy.

Defensive measures during an incident

Our system does not currently have fault proofs, meaning we are able to pause the system in an emergency.

We've established some guiding criteria for disabling the system during an incident response situation:

  • If an attack is ongoing: we should disable or pause in order to prevent further damage.
  • If we suspect that a vulnerability might be widely known: we should disable or pause proactively.
  • Otherwise: we should not disable or pause the system.

There aren’t any published security advisories