Reference client for NEAR is held to highest security standard. This document defines the policy how to report vulnerabilities and receive updates when security patches are released.
If you have any suggestions or comments about the security policy, please email the NEAR Security Team at security@nearprotocol.com
All security issues and questions should be reported by sending email to NEAR Security Team at security@nearprotocol.com. This will be acknowledged within 24 hours by the NEAR Security Team and kick of review process. You will receive a more detailed response to the email within 72 hours indicating perceived severity and the next steps in handling your report.
After initial reply to your report, the security team will keep your informed about the progress toward patching and public disclosure.
- Security report is received and assigned to an owner. This person will coordinate process of evaluating, fixing, releasing and disclosing the issue.
- After initial report received, the evaluation process is performed. It's identified if the issue exists, it's severity and which version / components of the code are affected. Additional review to identify similar issues also happens.
- Fixes are implemented for all supported releases. These fixes are not publicly communicated but held in private repo of Security Team or locally.
- A suggested announcement date for this vulnerability is chosen. The notification is drafted and includes patches to all supported versions and effected components.
- On the announcement date, the NEAR Security Update newsletter is sent an announcement. The changes are fast tracked and merged into the public repository. At least 6 hours after the mailing list is notified, a copy of the advisory will be published across social channels.
This process may take time, especially when coordinating with network participants and maintainers of other components in the ecosystem. The goal will be to address issues in as short period as possible, but it's important that the process described above to ensure that disclosures are handled in consistent manner.
Note: If Security Team identifies that an issue is mission critical and requires subset of network participants to update prior to newsletter announcement - this will be done in manual way by communicating via direct channels.
If you are must be informed about security vulnerabilities, please subscribe to the NEAR Security Update newsletter. The newsletter is very low traffic and only sent our where public disclosure of a vulnerability happens.