Vulnerability process

After receiving a vulnerability report, we follow the process outlined below.

Process steps

① Create CWA

info

CWA stands for CosmWasm Advisories. We have a dedicated repository for CosmWasm Advisories.

Create a new document in CosmWasm Advisories repository, based on a CWA-TEMPLATE.md file. The new file should be named CWA-YYYY-NNN.md, where YYYY is the year of the vulnerability submission, and NNN is the next available sequential number for that year. Start numbering with 001 each year.

warning

The initial version of a CWA should contain only a minimal set of information. Typically, it should be empty and have just the CWA number, to avoid giving potential attackers any details that could be used to exploit the vulnerability.

tip

Use the CWA number in all communications to ensure that all parties are discussing the same issue.

Newly created CWA documents should be updated over time as it becomes safe to publish additional details.

② Distribute pre-notifications

Send out pre-notifications, including:

severity,
affected version,
description of what can happen (DoS, loss of funds, etc.),
planned release date

to:

notification list,
private channels,
social media (when appropriate).

③ Release patch

Release the patch using regular release procedures. This can take some time depending on which build systems are part of the release. In the release notes you should mention that it includes a fix for CWA-YYYY-NNN.

④ Communicate release

Communicate the release using the same channels as the pre-notifications.

⑤ Fill CWA details

Add more details about the vulnerability to the CWA a few weeks later, once you consider it a reasonable time for all teams to update their chains.

Process steps​

① Create CWA​

② Distribute pre-notifications​

③ Release patch​

④ Communicate release​

⑤ Fill CWA details​