Skip to content

Add SECURITY.md responsible disclosure policy#1017

Draft
nachog00 wants to merge 6 commits intodevfrom
security-policy
Draft

Add SECURITY.md responsible disclosure policy#1017
nachog00 wants to merge 6 commits intodevfrom
security-policy

Conversation

@nachog00
Copy link
Copy Markdown
Contributor

@nachog00 nachog00 commented Apr 20, 2026

Summary

  • Adds SECURITY.md following the RD-Crypto-Spec Responsible Disclosure standard used by Zebra and Zcash
  • Documents two reporting paths: GitHub Private Vulnerability Reporting and encrypted email (security@zingolabs.org)
  • Includes a "Silent Exploitation Protection" deviation clause tailored to Zaino's indexer role (misreported balances, corrupted tree data, privacy leaks)
  • Marks bilateral disclosure agreements with ECC/ZF as intended but not yet formalized

TODOs before merging

  • Confirm zingolabs.org domain ownership and set up security@zingolabs.org mailbox/alias
  • Generate PGP key for security@zingolabs.org and embed the public key block in the file
  • Enable GitHub Private Vulnerability Reporting in repo settings (Settings > Code security and analysis)
  • Reach out to ECC and ZF about formalizing bilateral disclosure agreements

@nachog00
Add SECURITY.md with responsible disclosure policy
bf49519 
Follows the RD-Crypto-Spec standard used by the rest of the Zcash
ecosystem (Zebra, Zcash). Documents both GitHub Private Vulnerability
Reporting and encrypted email as intake paths, includes a "Silent
Exploitation Protection" deviation clause tailored to Zaino's indexer
role, and marks bilateral agreements with ECC/ZF as intended but not
yet formalized.

PGP key for security@zingolabs.org is a TODO pending key generation.
@nachog00 nachog00 requested a review from zancas April 20, 2026 18:08
zancas
zancas previously approved these changes Apr 20, 2026
View reviewed changes
@zancas
Copy link
Copy Markdown
Member

zancas commented Apr 20, 2026
edited
Loading

nvm

zancas and others added 2 commits April 20, 2026 15:47
@zancas
Merge branch 'dev' into security-policy
65db1a4
@nachog00
Update disclosure email to zingodisclosure@proton.me
c6c0c3b 
Proton Mail provides built-in E2EE for Proton-to-Proton senders, with
PGP as a fallback for external senders. PGP key embed is still a TODO
pending export from the Proton account.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zancas zancas zancas left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nachog00 @zancas