Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security documentation inaccurate #3319

Open
faddat opened this issue Sep 6, 2024 · 1 comment
Open

Security documentation inaccurate #3319

faddat opened this issue Sep 6, 2024 · 1 comment

Comments

@faddat
Copy link
Contributor

faddat commented Sep 6, 2024
edited
Loading

this is what security.md says

Image

this is what happens if you follow security.md

https://x.com/gadikian/status/1832105330802921675?t=sw2JE_oJ3SIcNveXHlqfTQ&s=19

this is Amulet changing the security reporting rules one day after closing Joe Bowmans report

Image

https://hackerone.com/cosmos/policy_versions?change=3736457&type=team

The new reporting rules from amulet state That there are third-party components in Gaia. But they don't describe who is a third party. Informal is a third party? How about all of the various libraries in the go programming language? Third party?

IBC? Third party?

Critically, the documentation for making security reports found here does not match what amulet says the process is.

What is the process?

https://acrobat.adobe.com/id/urn:aaid:sc:AP:f8e9e3d5-bd7e-41a6-958a-ef180329f83f

who is a third party?

Seems to me that you are routing all security concerns about the Hub to an organization that is not concerned with the security of the Hub as a whole. But the hub is a whole.

It is safe or not.

It doesn't care who made the bits and bobs in it.

who is deciding who is a third party?

It seems as though the foundation has labeled skip as a third party, and says that their code is often a source of security vulnerabilities. This is not true. One needs to look no further than the recent critical on ICS to understand that everybody's code is frequently a source of security vulnerabilities.

what are reporters to do from here?

  • There's no definition of what is and is not third party
  • There's no incentive to report bugs on the Hub in fact there's disincentive
  • Seems the foundation is being very clear: the security of the cosmos hub is not its concern
@github-project-automation github-project-automation bot moved this to 🩹 F1: Triage in Cosmos Hub Sep 6, 2024
@faddat faddat mentioned this issue Sep 6, 2024
Closed
@faddat
Copy link
Contributor Author

faddat commented Sep 10, 2024
edited
Loading

@mpoke the information in security.md does not contain Amulet's note on gaia, and is therefore surely inaccurate.

Do you motion to remove the fee market from Gaia?

Do you agree with their asssessment that since it is "third party" (whatever that means) software, it is innately unsafe? I disagree with them and think that the fee market is the cure p2p storms and related issues always needed.

If not, clearly no one should be taking issues to amulet/icf.

Because they don't support it, and say that its third party nature weakens security on the hub.

So let's next make a PR to remove the fee market, since it seems that is what is advised by Amulet.

@faddat faddat mentioned this issue Sep 10, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Cosmos Hub
Status: 🩹 F1: Triage
Milestone
No milestone
Development

No branches or pull requests
1 participant
@faddat