Skip to content

Commit 99e55cb

Browse files
udayshanmugamudayshanmugam
committed
feat: add security policy and reporting guidelines
Ticket: DX-1506
1 parent 12d85bd commit 99e55cb

File tree

1 file changed

+28
-0
lines changed

1 file changed

+28
-0
lines changed

SECURITY.md

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
# Security Policy
2+
3+
The BitGo team and the wider BitGo community take the security of the `BitGoJS` library seriously. We are committed to a secure and transparent vulnerability disclosure process. This policy outlines how to responsibly report security vulnerabilities in the `BitGoJS` repository and its associated ecosystem.
4+
5+
## How to Report a Vulnerability
6+
7+
**Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.** Public disclosure of a vulnerability can create an immediate and unmanaged risk, exposing users to a potential exploit before a fix can be implemented.
8+
9+
Please also note that public and known vulnerabilities discoverable through dependency analysis and static analysis are considered out of scope and should not be reported.
10+
11+
Instead, all security vulnerabilities must be reported through our official public bug bounty program. Our public bug bounty program is hosted on **Bugcrowd**. To report a vulnerability and be eligible for a bounty, please submit your findings directly to our program brief.
12+
13+
**Link to BitGo's Public Bug Bounty Program:**
14+
- [https://bugcrowd.com/engagements/bitgo-mbb-og-public](https://bugcrowd.com/engagements/bitgo-mbb-og-public)
15+
16+
## BitGo Bug Bounty Program Scope
17+
18+
The `BitGoJS` public repository is included in the scope of our bug bounty program. For details on our Safe Harbor policy, eligibility, and other program rules, please refer to the official program brief on the Bugcrowd platform.
19+
20+
## Supported Versions
21+
22+
Security updates are applied to the latest major release of `BitGoJS`. While we may address critical vulnerabilities in older versions on a case-by-case basis, researchers should focus on the latest stable release for their testing efforts.
23+
24+
## Additional Information
25+
26+
For general inquiries or non-security-related concerns, please use the standard issue tracker. For more details on our bug bounty program rules, including reward tiers, in-scope assets, and out-of-scope issues, please refer to the official program brief on the Bugcrowd platform.
27+
28+
Thank you for helping us keep BitGo and our users secure.

0 commit comments

Comments
 (0)