This security document is the process that the Gaia team follows regarding security issues that can impact partners and users of Gaia and the Cosmos Hub network.
If a vulnerability and its exploit are both publicly known, the security process may not apply. However, in such cases, resolutions and mitigation strategies may still be eligible for rewards through a bounty program.
As part of our Coordinated Vulnerability Disclosure Policy, we operate a bug bounty. See the policy for more details on submissions and rewards, and see "Example Vulnerabilities" (below) for examples of the kinds of bugs we're most interested in.
We require that all researchers:
- Use the bug bounty to disclose all vulnerabilities, and avoid posting vulnerability information in public places, including Github, Discord, Telegram, and Twitter
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems (including but not limited to the Cosmos Hub), and destruction of data
- Keep any information about vulnerabilities that you’ve discovered confidential between yourself and the Gaia engineering team until the issue has been resolved and disclosed
- Avoid posting personally identifiable information, privately or publicly
If you follow these guidelines when reporting an issue to us, we commit to:
- Not pursue or support any legal action related to your research on this vulnerability
- Work with you to understand, resolve and ultimately disclose the issue in a timely fashion
Gaia uses the following disclosure process:
- Once a security report is received, the Gaia team works to verify the issue and confirm its severity level using CVSS.
- The team collaborates with the Cosmos SDK and Tendermint teams to determine the vulnerability’s potential impact on the Cosmos Hub.
- Patches are prepared for eligible releases of Gaia in private repositories. See “Supported Releases” below for more information on which releases are considered eligible.
- If it is determined that a CVE-ID is required, we request a CVE through a CVE Numbering Authority.
- We provide the community with a 24 hour notice that a security release is impending, giving partners time to prepare their systems for the update. Notifications can include Discord, Telegram, Twitter, forum posts, and emails, including emails sent to the Tendermint Security Mailing List.
- 24 hours following this notification, the fixes are applied publicly and new releases are issued.
- Once new security releases are available, we notify the community, through the same channels as above.
- Once the community is notified, we will pay out any relevant bug bounties to submitters.
- Approximately one week after the releases go out, we will publish a post with further details on the vulnerability as well as our response to it. This timeline may be adjusted depending on the severity of the issue and the need to inform and update partner Cosmos zones.
This process can take some time. Every effort will be made to handle the bug in as timely a manner as possible, however it's important that we follow the process described above to ensure that disclosures are handled consistently and to keep Gaia and its partner projects--including but not limited to the Cosmos Hub--as secure as possible.
Communications to Cosmos Hub Validators will include the following details:
- Affected version(s)
- New release version
- Impact on user funds
- For timed releases, a date and time that the new release will be made available
- Impact on the hub if upgrades are not completed in a timely manner
- Potential actions to take if an adverse condition arises during the security release process
An example notice looks like:
Dear Cosmos Hub Validators,
A critical security vulnerability has been identified in Gaia v4.0.x.
User funds are NOT at risk; however, the vulnerability can result in a chain halt.
This notice is to inform you that on [[**March 1 at 1pm EST/6pm UTC**]], we will be releasing Gaia v4.1.x, which patches the security issue.
We ask all validators to upgrade their nodes ASAP.
If the chain halts, validators with sufficient voting power need to upgrade and come online in order for the chain to resume.
The following is an example timeline for the triage and response. The required roles and team members are described in parentheses after each task; however, multiple people can play each role and each person may play multiple roles.
- Request CVE number (ADMIN)
- Gather emails and other contact info for validators (COMMS LEAD)
- Test fixes on a testnet (GAIA ENG, TENDERMINT ENG, COSMOS SDK ENG)
- Write “Security Advisory” for forum (GAIA LEAD)
- Post “Security Advisory” pre-notification on forum (GAIA LEAD)
- Post Tweet linking to forum post (COMMS LEAD)
- Announce security advisory/link to post in various other social channels (Telegram, Discord) (COMMS LEAD)
- Send emails to validators or other users (PARTNERSHIPS LEAD)
- Cut Tendermint releases for eligible versions (TENDERMINT ENG)
- Cut Cosmos SDK release for eligible versions (COSMOS SDK ENG)
- Cut Gaia release for eligible versions (GAIA ENG)
- Post “Security releases” on forum (GAIA LEAD)
- Post new Tweet linking to forum post (COMMS LEAD)
- Remind everyone via social channels (Telegram, Discord) that the release is out (COMMS LEAD)
- Send emails to validators or other users (COMMS LEAD)
- Publish Security Advisory and CVE, if CVE has no sensitive information (ADMIN)
- Write forum post with exploit details (GAIA LEAD)
- Approve pay-out on HackerOne for submitter (ADMIN)
- Publish CVE if it has not yet been published (ADMIN)
- Publish forum post with exploit details (GAIA ENG, GAIA LEAD)
The Gaia team commits to releasing security patch releases for both the latest minor release as well for the major/minor release that the Cosmos Hub is running.
If you are running older versions of Gaia, we encourage you to upgrade at your earliest opportunity so that you can receive security patches directly from the Gaia repo. While you are welcome to backport security patches to older versions for your own use, we will not publish or promote these backports.
The full scope of our bug bounty program is outlined on our Hacker One program page. Please also note that, in the interest of the safety of our users and staff, a few things are explicitly excluded from scope:
- Any third-party services
- Findings from physical testing, such as office access
- Findings derived from social engineering (e.g., phishing)
The following is a list of examples of the kinds of vulnerabilities that we’re most interested in. It is not exhaustive: there are other kinds of issues we may also be interested in!
- Injection exploits
- Privilege escalation
- IBC
- Inter-module interactions
- Web exploits
- Network channel attacks
- Replay attacks
Future vulnerabilities could include:
- Zero-knowledge libraries
- Dependencies