Draft of steps that should be taken when finding a security issue in Ethereum. Security issue is defined as a problem in scope of Security-Categorization.
Partly inspired by OWASP Risk Rating
- Add a entry describing the issue at (TODO: github link).
- Estimate likelihood, impact and complexity of fix.
- Affected software version(s).
- How likely is it to be uncovered and exploited by an attacker?
- Ease of discovery?
- Ease of exploit?
- Likelihood of detection?
- Blockchain consensus. Potential of blockchain fork?
- Financial damage. Loss of ether?
- Privacy. E.g. revealing who sent a tx or who owns an address.
- Availability. Can it impact availablity of node(s)?
- Protocol version.
- Client version(s). Single or multiple implementations?
- OS / external library version(s).
- Link to relevant source code.
- How to fix.
- How to test.
- Who is assigned to fix the issue?
- Who will test / review a fix?
- Who takes responsibility for preparing new builds of client software?
- Who takes on to disclose the issue?
- Communication channels (mail lists, twitter, github).