Responsible Disclosure Policy
Overview
The Savitri Network Responsible Disclosure Policy establishes a framework for security researchers to report vulnerabilities in a responsible manner while ensuring proper protection for both researchers and the Savitri Network ecosystem. This policy encourages ethical security research and facilitates the timely remediation of discovered vulnerabilities.
Technology Choice Rationale
Why Responsible Disclosure Policy
Problem Statement: Security researchers need clear guidelines for reporting vulnerabilities while protecting both researchers and the ecosystem from premature disclosure.
Chosen Solution: Comprehensive responsible disclosure framework with clear reporting procedures, timelines, and protection measures.
Rationale:
- Researcher Protection: Legal protection for good-faith security research
- Ecosystem Safety: Prevent exploitation of vulnerabilities before patches
- Clear Process: Well-defined reporting and remediation procedures
- Transparency: Public disclosure of fixed vulnerabilities
Expected Results:
- Increased vulnerability reporting from security researchers
- Faster remediation of security issues
- Reduced risk of vulnerability exploitation
- Stronger security through collaborative research
Policy Scope
Covered Systems
In-Scope Assets:
pub struct InScopeAssets {
pub core_protocol: CoreProtocolAssets,
pub network_infrastructure: NetworkInfrastructureAssets,
pub smart_contracts: SmartContractAssets,
pub official_applications: OfficialApplicationAssets,
pub cryptographic_implementations: CryptoImplementationAssets,
}
impl InScopeAssets {
pub fn get_all_assets(&self) -> Vec<Asset> {
vec![
// Core protocol components
Asset {
name: "Savitri Core Protocol",
component: "Consensus mechanism",
version: "1.0.0+",
description: "BFT consensus implementation",
},
Asset {
name: "Savitri Core Protocol",
component: "Block validation",
version: "1.0.0+",
description: "Block and transaction validation logic",
},
Asset {
name: "Savitri Core Protocol",
component: "P2P networking",
version: "1.0.0+",
description: "Peer-to-peer communication protocol",
},
// Network infrastructure
Asset {
name: "Savitri Network Infrastructure",
component: "Bootstrap nodes",
version: "All versions",
description: "Network bootstrap and discovery nodes",
},
Asset {
name: "Savitri Network Infrastructure",
component: "RPC endpoints",
version: "All versions",
description: "Official RPC API endpoints",
},
// Smart contracts
Asset {
name: "Savitri Smart Contracts",
component: "Token standards",
version: "All versions",
description: "SAVITRI-20, SAVITRI-721, SAVITRI-1155",
},
Asset {
name: "Savitri Smart Contracts",
component: "Governance contracts",
version: "All versions",
description: "On-chain governance mechanisms",
},
// Official applications
Asset {
name: "Savitri Official Wallet",
component: "Desktop wallet",
version: "All versions",
description: "Official desktop wallet application",
},
Asset {
name: "Savitri Official Wallet",
component: "Mobile wallet",
version: "All versions",
description: "Official mobile wallet applications",
},
// Cryptographic implementations
Asset {
name: "Savitri Cryptographic Library",
component: "Signature schemes",
version: "All versions",
description: "secp256k1 and Ed25519 implementations",
},
Asset {
name: "Savitri Cryptographic Library",
component: "Hash functions",
version: "All versions",
description: "SHA-256, Keccak256, and Blake3 implementations",
},
]
}
}
Out-of-Scope Systems
Excluded Assets:
pub struct OutOfScopeAssets {
pub third_party_services: ThirdPartyServices,
pub unofficial_applications: UnofficialApplications,
pub deprecated_systems: DeprecatedSystems,
pub social_engineering: SocialEngineeringAssets,
}
impl OutOfScopeAssets {
pub fn get_excluded_assets(&self) -> Vec<ExcludedAsset> {
vec![
ExcludedAsset {
name: "Third-party exchanges",
reason: "Not operated by Savitri Network",
reporting_guidance: "Contact exchange directly",
},
ExcludedAsset {
name: "Unofficial wallet applications",
reason: "Not maintained by Savitri Network",
reporting_guidance: "Contact application developer",
},
ExcludedAsset {
name: "Deprecated protocol versions",
reason: "No longer supported or maintained",
reporting_guidance: "Upgrade to supported version",
},
ExcludedAsset {
name: "Social engineering attacks",
reason: "User education issue, not technical vulnerability",
reporting_guidance: "Report to security education team",
},
]
}
}
Vulnerability Classification
Severity Levels
Severity Classification Framework:
pub struct VulnerabilitySeverity {
pub critical: CriticalCriteria,
pub high: HighCriteria,
pub medium: MediumCriteria,
pub low: LowCriteria,
pub informational: InformationalCriteria,
}
impl VulnerabilitySeverity {
pub fn classify_vulnerability(&self, vulnerability: &VulnerabilityReport) -> SeverityLevel {
match self.assess_impact(vulnerability) {
ImpactAssessment::Critical => SeverityLevel::Critical,
ImpactAssessment::High => SeverityLevel::High,
ImpactAssessment::Medium => SeverityLevel::Medium,
ImpactAssessment::Low => SeverityLevel::Low,
ImpactAssessment::Informational => SeverityLevel::Informational,
}
}
fn assess_impact(&self, vulnerability: &VulnerabilityReport) -> ImpactAssessment {
let confidentiality_impact = self.assess_confidentiality_impact(vulnerability);
let integrity_impact = self.assess_integrity_impact(vulnerability);
let availability_impact = self.assess_availability_impact(vulnerability);
let exploitability = self.assess_exploitability(vulnerability);
// CVSS-like scoring
let base_score = (confidentiality_impact.score +
integrity_impact.score +
availability_impact.score) / 3.0;
let final_score = base_score * exploitability.multiplier;
match final_score {
score if score >= 9.0 => ImpactAssessment::Critical,
score if score >= 7.0 => ImpactAssessment::High,
score if score >= 4.0 => ImpactAssessment::Medium,
score if score >= 1.0 => ImpactAssessment::Low,
_ => ImpactAssessment::Informational,
}
}
}
Critical Vulnerabilities:
pub struct CriticalVulnerability {
pub examples: Vec<VulnerabilityExample>,
pub response_time: ResponseTime,
pub bounty_range: BountyRange,
}
impl CriticalVulnerability {
pub fn get_examples(&self) -> Vec<VulnerabilityExample> {
vec![
VulnerabilityExample {
title: "Remote Code Execution in Consensus",
description: "Ability to execute arbitrary code on validator nodes",
impact: "Complete network compromise",
example: "Buffer overflow in block processing",
},
VulnerabilityExample {
title: "Private Key Extraction",
description: "Ability to extract private keys from wallet applications",
impact: "Complete user fund loss",
example: "Memory disclosure vulnerability in wallet",
},
VulnerabilityExample {
title: "Consensus Break",
description: "Ability to cause consensus divergence or forks",
impact: "Network partition and double-spending",
example: "BFT protocol implementation flaw",
},
VulnerabilityExample {
title: "Cryptographic Break",
description: "Break in cryptographic primitives or protocols",
impact: "Complete system compromise",
example: "Signature scheme vulnerability",
},
]
}
}
Reporting Process
Reporting Channels
Secure Reporting Methods:
pub struct ReportingChannels {
pub encrypted_email: EncryptedEmailChannel,
pub web_form: SecureWebForm,
pub pgp_key: PGPKeyInformation,
pub dedicated_security_team: SecurityTeamContact,
}
impl ReportingChannels {
pub fn get_reporting_options(&self) -> Vec<ReportingOption> {
vec![
ReportingOption {
method: "Encrypted Email",
address: "security@savitri.network",
pgp_key_fingerprint: "A1B2C3D4E5F6789012345678901234567890ABCD",
instructions: "Use PGP encryption with provided key",
response_time: "Within 24 hours",
},
ReportingOption {
method: "Secure Web Form",
url: "https://security.savitri.network/report",
encryption: "TLS 1.3 with end-to-end encryption",
instructions: "Upload encrypted reports and evidence",
response_time: "Within 48 hours",
},
ReportingOption {
method: "Bug Bounty Platform",
platform: "HackerOne / Immunefi",
program: "Savitri Network",
instructions: "Submit through platform for bounty consideration",
response_time: "Within 72 hours",
},
]
}
}
Report Format
Required Information:
pub struct VulnerabilityReport {
pub reporter_information: ReporterInfo,
pub vulnerability_details: VulnerabilityDetails,
pub reproduction_steps: ReproductionSteps,
pub impact_assessment: ImpactAssessment,
pub evidence: Evidence,
}
impl VulnerabilityReport {
pub fn get_required_fields(&self) -> Vec<RequiredField> {
vec![
RequiredField {
name: "Vulnerability Title",
description: "Clear, concise title describing the vulnerability",
required: true,
example: "Buffer Overflow in Block Processing",
},
RequiredField {
name: "Affected Component",
description: "Specific component or system affected",
required: true,
example: "Consensus engine, version 1.2.3",
},
RequiredField {
name: "Vulnerability Type",
description: "Type of vulnerability (e.g., RCE, XSS, CSRF)",
required: true,
example: "Remote Code Execution",
},
RequiredField {
name: "Severity Assessment",
description: "Your assessment of vulnerability severity",
required: true,
example: "Critical - allows complete network compromise",
},
RequiredField {
name: "Detailed Description",
description: "Comprehensive description of the vulnerability",
required: true,
example: "The vulnerability exists in the block processing function...",
},
RequiredField {
name: "Reproduction Steps",
description: "Step-by-step instructions to reproduce the vulnerability",
required: true,
example: "1. Send crafted block with oversized transaction...",
},
RequiredField {
name: "Proof of Concept",
description: "Code, screenshots, or other evidence demonstrating the vulnerability",
required: true,
example: "Attached PoC script that triggers the vulnerability",
},
RequiredField {
name: "Impact Analysis",
description: "Analysis of potential impact if exploited",
required: true,
example: "Attacker could gain control of validator nodes...",
},
]
}
}
Response Timeline
Response SLAs
Service Level Agreements:
pub struct ResponseTimeline {
pub initial_response: InitialResponseSLA,
pub triage_completion: TriageCompletionSLA,
pub remediation_timeline: RemediationTimelineSLA,
pub disclosure_timeline: DisclosureTimelineSLA,
}
impl ResponseTimeline {
pub fn get_sla_matrix(&self) -> SLAMatrix {
SLAMatrix {
critical: ResponseSLA {
initial_response: Duration::hours(24),
triage_completion: Duration::hours(48),
remediation_target: Duration::days(7),
public_disclosure: Duration::days(14),
},
high: ResponseSLA {
initial_response: Duration::hours(48),
triage_completion: Duration::days(3),
remediation_target: Duration::days(14),
public_disclosure: Duration::days(30),
},
medium: ResponseSLA {
initial_response: Duration::days(3),
triage_completion: Duration::days(7),
remediation_target: Duration::days(30),
public_disclosure: Duration::days(60),
},
low: ResponseSLA {
initial_response: Duration::days(7),
triage_completion: Duration::days(14),
remediation_target: Duration::days(90),
public_disclosure: Duration::days(90),
},
}
}
}
Response Process
Response Workflow:
pub struct ResponseProcess {
pub acknowledgment: AcknowledgmentProcess,
pub validation: ValidationProcess,
pub triage: TriageProcess,
pub remediation: RemediationProcess,
pub disclosure: DisclosureProcess,
}
impl ResponseProcess {
pub async fn process_vulnerability_report(&self, report: VulnerabilityReport) -> Result<ProcessResult, ProcessError> {
// 1. Acknowledge receipt
let acknowledgment = self.acknowledgment.send_acknowledgment(&report).await?;
// 2. Validate vulnerability
let validation_result = self.validation.validate_vulnerability(&report).await?;
// 3. Triage and prioritize
let triage_result = self.triage.triage_vulnerability(&report, &validation_result).await?;
// 4. Plan remediation
let remediation_plan = self.remediation.create_remediation_plan(&report, &triage_result).await?;
// 5. Execute remediation
let remediation_result = self.remediation.execute_remediation(&remediation_plan).await?;
// 6. Plan disclosure
let disclosure_plan = self.disclosure.create_disclosure_plan(&report, &remediation_result).await?;
Ok(ProcessResult {
acknowledgment,
validation_result,
triage_result,
remediation_plan,
remediation_result,
disclosure_plan,
})
}
}
Bounty Program
Reward Structure
Bounty Tiers:
pub struct BountyProgram {
pub critical_rewards: CriticalRewardTier,
pub high_rewards: HighRewardTier,
pub medium_rewards: MediumRewardTier,
pub low_rewards: LowRewardTier,
pub informational_rewards: InformationalRewardTier,
}
impl BountyProgram {
pub fn get_bounty_ranges(&self) -> BountyRanges {
BountyRanges {
critical: BountyRange {
minimum: 50_000, // $50,000 USD
maximum: 250_000, // $250,000 USD
typical: 100_000, // $100,000 USD
payment_methods: vec!["Cryptocurrency", "Bank Transfer"],
},
high: BountyRange {
minimum: 10_000, // $10,000 USD
maximum: 50_000, // $50,000 USD
typical: 20_000, // $20,000 USD
payment_methods: vec!["Cryptocurrency", "Bank Transfer"],
},
medium: BountyRange {
minimum: 2_000, // $2,000 USD
maximum: 10_000, // $10,000 USD
typical: 5_000, // $5,000 USD
payment_methods: vec!["Cryptocurrency", "Gift Cards"],
},
low: BountyRange {
minimum: 500, // $500 USD
maximum: 2_000, // $2,000 USD
typical: 1_000, // $1,000 USD
payment_methods: vec!["Cryptocurrency", "Gift Cards", "Merchandise"],
},
informational: BountyRange {
minimum: 100, // $100 USD
maximum: 500, // $500 USD
typical: 250, // $250 USD
payment_methods: vec!["Gift Cards", "Merchandise", "Recognition"],
},
}
}
}
Bonus Criteria
Additional Rewards:
pub struct BonusCriteria {
pub quality_bonus: QualityBonus,
pub impact_bonus: ImpactBonus,
pub collaboration_bonus: CollaborationBonus,
pub innovation_bonus: InnovationBonus,
}
impl BonusCriteria {
pub fn calculate_bonus(&self, report: &VulnerabilityReport, base_bounty: u64) -> u64 {
let mut bonus_multiplier = 1.0;
// Quality bonus for well-documented reports
if self.quality_bonus.qualifies_for_bonus(report) {
bonus_multiplier += 0.2; // 20% bonus
}
// Impact bonus for high-impact vulnerabilities
if self.impact_bonus.qualifies_for_bonus(report) {
bonus_multiplier += 0.3; // 30% bonus
}
// Collaboration bonus for cooperative researchers
if self.collaboration_bonus.qualifies_for_bonus(report) {
bonus_multiplier += 0.1; // 10% bonus
}
// Innovation bonus for novel attack vectors
if self.innovation_bonus.qualifies_for_bonus(report) {
bonus_multiplier += 0.25; // 25% bonus
}
(base_bounty as f64 * bonus_multiplier) as u64
}
}
Legal Protection
Safe Harbor
Researcher Protection:
pub struct SafeHarborProtection {
pub legal_framework: LegalFramework,
pub protection_scope: ProtectionScope,
pub compliance_requirements: ComplianceRequirements,
}
impl SafeHarborProtection {
pub fn get_protection_details(&self) -> ProtectionDetails {
ProtectionDetails {
protected_activities: vec![
"Security research conducted in good faith",
"Vulnerability discovery and analysis",
"Responsible disclosure following this policy",
"Testing on authorized test networks",
],
protection_conditions: vec![
"Research must be conducted ethically",
"No damage to production systems",
"No exfiltration of user data",
"Compliance with applicable laws",
],
legal_guarantees: vec![
"No legal action for good-faith research",
"Confidentiality of researcher identity",
"Protection from civil liability",
"Support in legal proceedings if needed",
],
}
}
}
Compliance Requirements
Researcher Responsibilities:
pub struct ComplianceRequirements {
pub ethical_guidelines: EthicalGuidelines,
pub legal_boundaries: LegalBoundaries,
pub technical_limitations: TechnicalLimitations,
}
impl ComplianceRequirements {
pub fn get_compliance_checklist(&self) -> Vec<ComplianceItem> {
vec![
ComplianceItem {
requirement: "Obtain explicit permission before testing",
description: "Only test systems you have permission to test",
verification: "Written consent or public testnet",
},
ComplianceItem {
requirement: "Do not cause damage to systems",
description: "Avoid any actions that could harm system availability or integrity",
verification: "Limited to read-only operations or test environments",
},
ComplianceItem {
requirement: "Protect user privacy and data",
description: "Do not access or exfiltrate user data",
verification: "No access to production user data",
},
ComplianceItem {
requirement: "Follow responsible disclosure timeline",
description: "Report vulnerabilities before public disclosure",
verification: "Adherence to disclosure policy",
},
ComplianceItem {
requirement: "Comply with applicable laws",
description: "Follow all relevant laws and regulations",
verification: "Legal review of research methods",
},
]
}
}
Public Disclosure
Disclosure Policy
Disclosure Guidelines:
pub struct DisclosurePolicy {
pub timing_guidelines: TimingGuidelines,
pub content_requirements: ContentRequirements,
pub coordination_process: CoordinationProcess,
}
impl DisclosurePolicy {
pub fn get_disclosure_timeline(&self, severity: SeverityLevel) -> DisclosureTimeline {
match severity {
SeverityLevel::Critical => DisclosureTimeline {
initial_disclosure: Duration::days(14),
detailed_disclosure: Duration::days(30),
technical_details: Duration::days(60),
},
SeverityLevel::High => DisclosureTimeline {
initial_disclosure: Duration::days(30),
detailed_disclosure: Duration::days(60),
technical_details: Duration::days(90),
},
SeverityLevel::Medium => DisclosureTimeline {
initial_disclosure: Duration::days(60),
detailed_disclosure: Duration::days(90),
technical_details: Duration::days(120),
},
SeverityLevel::Low => DisclosureTimeline {
initial_disclosure: Duration::days(90),
detailed_disclosure: Duration::days(120),
technical_details: Duration::days(180),
},
SeverityLevel::Informational => DisclosureTimeline {
initial_disclosure: Duration::days(90),
detailed_disclosure: Duration::days(120),
technical_details: Duration::days(180),
},
}
}
}
Credit and Recognition
Researcher Recognition:
pub struct ResearcherRecognition {
pub hall_of_fame: HallOfFame,
pub public_credits: PublicCredits,
pub certification_program: CertificationProgram,
}
impl ResearcherRecognition {
pub fn get_recognition_options(&self) -> Vec<RecognitionOption> {
vec![
RecognitionOption {
type: "Hall of Fame",
description: "Permanent recognition on security website",
criteria: "Valid vulnerability submission following policy",
benefits: vec!["Public recognition", "Professional credibility"],
},
RecognitionOption {
type: "Security Researcher Certification",
description: "Official certification as Savitri Security Researcher",
criteria: "Multiple high-quality vulnerability submissions",
benefits: vec!["Professional certification", "Priority access to beta programs"],
},
RecognitionOption {
type: "Conference Speaking Opportunities",
description: "Invitations to speak at Savitri security conferences",
criteria: "Significant contributions to ecosystem security",
benefits: vec!["Industry recognition", "Networking opportunities"],
},
RecognitionOption {
type: "Swag and Merchandise",
description: "Exclusive security researcher merchandise",
criteria: "Any valid vulnerability submission",
benefits: vec!["Physical recognition", "Community belonging"],
},
]
}
}
Policy Updates
Revision Process
Policy Maintenance:
pub struct PolicyMaintenance {
pub review_schedule: ReviewSchedule,
pub update_process: UpdateProcess,
pub community_feedback: CommunityFeedback,
}
impl PolicyMaintenance {
pub fn get_maintenance_schedule(&self) -> MaintenanceSchedule {
MaintenanceSchedule {
quarterly_review: "Review bounty amounts and response times",
annual_review: "Comprehensive policy review and updates",
emergency_review: "Immediate review for major security incidents",
community consultation: "Annual community feedback collection",
}
}
}
This comprehensive responsible disclosure policy provides clear guidelines for security researchers while ensuring proper protection for both researchers and the Savitri Network ecosystem.