Junø
WebDiscordGithubTwitter
  • Juno
    • Intro
    • Home of CosmWasm
    • Contributors - Core Software
    • Brand Identity
    • Security Disclosures
    • Economic Overview
      • Disclaimer
      • Native Asset (JUNO)
      • Incentive structure
      • Supply API - Data
  • Developer Guides
    • CosmWasm Contracts
      • Compile a Contract
      • Deploy a Contract
      • Guide: How to Upload a Smart Contract on the Juno Chain
      • Use Cw-orchestrator to speed-up your development
      • Query A Contract
      • Send Tokens to a Contract
    • Miscellaneous
      • Conversions
      • Multi Message Transaction
      • Get & Decode Transactions
      • Get Token Prices
      • Get Account Transactions
      • IBC Transfer
      • State Export / Airdrop
    • Juno Modules
      • FeeShare
      • TokenFactory
    • API Endpoints
      • Cosmos
        • Tx
          • V1beta1
            • Simulate
            • Txs
              • Block
        • Params
          • V1beta1
            • Params
        • Bank
          • V1beta1
            • Balances
              • By denom
            • Denoms metadata
            • Params
            • Spendable balances
            • Supply
        • Upgrade
          • V1beta1
            • Applied plan
            • Current plan
            • Module versions
            • Upgraded consensus state
        • Auth
          • V1beta1
            • Accounts
            • Module accounts
            • Params
        • Staking
          • V1beta1
            • Delegations
            • Historical info
            • Params
            • Pool
            • Validators
              • Delegations
                • Unbonding delegation
              • Unbonding delegations
            • Delegators
              • Redelegations
              • Unbonding delegations
              • Validators
        • Evidence
          • V1beta1
            • Evidence
        • Mint
          • V1beta1
            • Annual provisions
            • Inflation
            • Params
        • Feegrant
          • V1beta1
            • Allowance
            • Allowances
            • Issued
        • Gov
          • V1beta1
            • Params
            • Proposals
              • Deposits
              • Tally
              • Votes
        • Distribution
          • V1beta1
            • Community pool
            • Params
            • Delegators
              • Rewards
              • Validators
              • Withdraw address
            • Validators
              • Commission
              • Outstanding rewards
              • Slashes
        • Slashing
          • V1beta1
            • Params
            • Signing infos
        • Authz
          • V1beta1
            • Grants
              • Grantee
              • Granter
        • Base
          • Tendermint
            • V1beta1
              • Blocks
                • Latest
              • Node info
              • Syncing
              • Validatorsets
                • Latest
          • Node
            • V1beta1
              • Config
      • Cosmwasm
        • Wasm
          • V1
            • Code
              • Contracts
            • Contract
              • History
              • Raw
              • Smart
              • State
            • Codes
              • Params
              • Pinned
            • Contracts
              • Creator
      • Juno
        • Feeshare
          • V1
            • Fee shares
            • Params
        • Tokenfactory
          • V1beta1
            • Denoms from creator
            • Params
            • Denoms
              • Authority metadata
      • Ibc
        • Apps
          • Router
            • V1
              • Params
      • API Specification
    • Local Interchain
      • Local Interchain Rust Example
    • Junod Local Dev Setup
    • Integrate Leap wallet
    • SubQuery Indexer
  • Governance
    • Before submitting a proposal
    • Submitting a Proposal (CLI)
      • Formatting Proposal Markdown
  • Command-Line Interface (CLI)
    • Introduction
    • Useful CLI Commands
    • Module Reference
      • bank
      • distribution
      • gov
      • keys
      • params
      • slashing
      • staking
      • status
      • tendermint
      • upgrade
      • wasm
  • Nodes & Validators
    • Junod Installation and setup
    • Setting up Cosmovisor
    • Mainnet Setup and Tooling
    • Joining Mainnet
      • Sync from Snapshot
      • Sync with state-sync
      • Mainnet Upgrades
    • Joining Testnet
    • Relaying
    • Juno Delegations Program
Powered by GitBook
On this page
  • Juno bug reporting
  • Triage and progress 🔜
  • Feature request 🚀
  • Standard priority bug 🐛
  • Critical bug or security issue 💥

Was this helpful?

  1. Juno

Security Disclosures

Found a critical bug or need to report a security issue? Juno's disclosure process is documented alongside the source code, but is also reproduced here.

PreviousBrand IdentityNextEconomic Overview

Last updated 1 year ago

Was this helpful?

If you have a vulnerability or critical issue to disclose, follow responsible disclosure practice and do not speak publicly about it. If it affects other CosmWasm chains, then notify them as well. Typically, chains maintain a SECURITY.md document alongside their source code with instructions for notifying the team.

Juno's , and is reproduced below:

Juno bug reporting

The Juno core development team uses GitHub to manage feature requests and bugs. This is done via GitHub Issues.

Triage and progress 🔜

Issues added to GitHub will be triaged as they come in.

Tracking of in-flight issues will be done through the Juno Core project board, but of course we reserve the right to not make a public issue if there is a security implication in doing so.

Feature request 🚀

For a feature request, e.g. module inclusion, please make a GitHub issue. Clearly state your use case and what value it will bring to other users or developers on Juno.

If it is something that can be handled by a param change, discuss it on Discord in the #governance channel, and consider a governance proposal.

Standard priority bug 🐛

For a bug that is non-sensitive and/or operational in nature rather than a critical vulnerability, please add it as a GitHub issue.

If it is not triaged in a couple of days, feel free to tag @the-frey or @jakehartnell.

Critical bug or security issue 💥

  • Jake (Meow) Meow Stargaze ✨🔭#1736

  • Dimi dimi 🦙#2998

  • Alex (the-frey) the-frey#8626

  • Jacob jacobgadikian#9883

Please avoid opening public issues on GitHub that contain information about a potential security vulnerability as this makes it difficult to reduce the impact and harm of valid security issues.

Coordinated Vulnerability Disclosure Policy

We ask security researchers to keep vulnerabilities and communications around vulnerability submissions private and confidential until a patch is developed. In addition to this, we ask that you:

  • Allow us a reasonable amount of time to correct or address security vulnerabilities.

  • Avoid exploiting any vulnerabilities that you discover.

  • Demonstrate good faith by not disrupting or degrading Juno’s network, data, or services.

Vulnerability Disclosure Process

Juno uses the following disclosure process:

  • Once a security report is received, the Juno core development team works to verify the issue.

  • Patches are prepared for eligible releases in private repositories.

  • We notify the community that a security release is coming, to give users time to prepare their systems for the update. Notifications can include Discord messages, tweets, and emails to partners and validators.

  • 24 hours following this notification, the fixes are applied publicly and new releases are issued.

  • Once releases are available for Juno, we notify the community, again, through the same channels as above. We also publish a Security Advisory on Github and publish the CVE, as long as neither the Security Advisory nor the CVE include any information on how to exploit these vulnerabilities beyond what information is already available in the patch itself.

  • Once the community is notified, we will pay out any relevant bug bounties to submitters.

  • One week after the releases go out, we will publish a post with further details on the vulnerability as well as our response to it.

This process can take some time. Every effort will be made to handle the bug in as timely a manner as possible. However, it's important that we follow the process described above to ensure that disclosures are handled consistently and to keep Juno and the projects running on it secure.

If you're here because you're trying to figure out how to notify us of a security issue, go to , and alert the core engineers:

SECURITY.md file can be found here
Discord
Page cover image