You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Issues can easily be deleted on Github, and Interchain foundation funded teams have often deleted issues I have opened. This is a backup of the issue on the cosmos hub:
The new reporting rules from amulet state That there are third-party components in Gaia. But they don't describe who is a third party. Informal is a third party? How about all of the various libraries in the go programming language? Third party?
IBC? Third party?
Critically, the documentation for making security reports found here does not match what amulet says the process is.
Seems to me that you are routing all security concerns about the Hub to an organization that is not concerned with the security of the Hub as a whole. But the hub is a whole.
It is safe or not.
It doesn't care who made the bits and bobs in it.
who is deciding who is a third party?
It seems as though the foundation has labeled skip as a third party, and says that their code is often a source of security vulnerabilities. This is not true. One needs to look no further than the recent critical on ICS to understand that everybody's code is frequently a source of security vulnerabilities.
what are reporters to do from here?
There's no definition of what is and is not third party
There's no incentive to report bugs on the Hub in fact there's disincentive
Seems the foundation is being very clear: the security of the cosmos hub is not its concern
The text was updated successfully, but these errors were encountered:
Issues can easily be deleted on Github, and Interchain foundation funded teams have often deleted issues I have opened. This is a backup of the issue on the cosmos hub:
this is what security.md says
this is what happens if you follow security.md
https://x.com/gadikian/status/1832105330802921675?t=sw2JE_oJ3SIcNveXHlqfTQ&s=19
this is Amulet changing the security reporting rules one day after closing Joe Bowmans report
https://hackerone.com/cosmos/policy_versions?change=3736457&type=team
The new reporting rules from amulet state That there are third-party components in Gaia. But they don't describe who is a third party. Informal is a third party? How about all of the various libraries in the go programming language? Third party?
IBC? Third party?
Critically, the documentation for making security reports found here does not match what amulet says the process is.
What is the process?
https://acrobat.adobe.com/id/urn:aaid:sc:AP:f8e9e3d5-bd7e-41a6-958a-ef180329f83f
who is a third party?
Seems to me that you are routing all security concerns about the Hub to an organization that is not concerned with the security of the Hub as a whole. But the hub is a whole.
It is safe or not.
It doesn't care who made the bits and bobs in it.
who is deciding who is a third party?
It seems as though the foundation has labeled skip as a third party, and says that their code is often a source of security vulnerabilities. This is not true. One needs to look no further than the recent critical on ICS to understand that everybody's code is frequently a source of security vulnerabilities.
what are reporters to do from here?
The text was updated successfully, but these errors were encountered: