NOTE: This policy is more developer focused than end-user focused. This will change when there is a MVP and the application is available to users.
Before contributing to this project please take some time to read through this. Coordination with the Security team is important to keeping our data and our users safe.
To report a vulnerability, message @JackDawsen in the Discord for further instructions regarding secure communications about the vulnerability.
Generally we follow the Google Project Zero reporting and disclosure timeline. Vulnerability reporters can choose to claim credit for their findings and we will attach their name as appropriate.
SECURITY.md will be the primary document for security policy and it will be updated as necessary. Because the project is in its early design stages we aren't implementing security measures now. Instead we're documenting security requirements so that they can be implemented as the project gets off the ground.
This will be addressed as platforms, languages, and frameworks are decided. As development starts we consider the following general principles important:
- Validate input.
- Keep it simple.
- Default deny.
- Adhere to the principle of least privilege.
- Sanitize data sent to other systems.
- Only store data that you need.
- Personally identifiable information and other non-public data MUST be encrypted.
Encryption standards can be higher than, but not less than:
- AES-256 for symmetric encryption in block/streaming modes
- RSA-4096 for asymmetric encryption
- SHA2 for hashing, supplemented by HMAC where appropriate
All communications into and out of the platform and connections between components must be encrypted. External connections from the platform, such as from web browsers to our web servers, must use TLS. Internal connections, such as from web servers to database servers, must also be encrypted using appropriate configurations. The only exceptions are for external systems that don't support encryption and sensitive or non-public data will not be sent to or requested from those systems.
All stored user data must be encrypted. Financial data of a non-public nature must be encrypted. Credentials, access tokens, and other user-specific access devices must be hashed using a salt that is different between users. Credentials, access tokens, and other access devices that must be used by the system to access external systems must be encrypted at rest.