Is Amulet a security point of contact?

Conversation
1

It is unclear if Amulet is a security point of contact.

@Greg from informal says that the canonical path for reporting security issues is SECURITY.md in any cosmos repository.

I have been informed by @Syed and Abra from the ICF that amulet is no longer a security point of contact – or maybe that they never were, except for with Barberry. I truly don’t know.

Around the time of barberry, I was told that amulet would be the point of contact going forward by @jack, @zaki_iqlusion, @catdotfish, and @Syed.

But now, we’ve got others saying otherwise. Additionally, @jack is saying:

Screenshot 2023-08-14 at 3.38.15 PM
Screenshot 2023-08-14 at 3.38.15 PM1130×1230 260 KB

note
the above screenshot is from a public chat, Telegram: Contact @cosmonauthq – you can find Jacks commentary here:

I wish to note that Notional has simply been seeking the correct reporting path for these types of issues.

@Jessysaurusrex is most certainly not a security threat, nor is Amulet.

The confusion, on the other hand, is a security threat.

2

Just to CLARIFY, we said that this post stated that the email address “barberry -at- amulet.dev” should be used for Barberry incident response. The exact quote from the post:

If your chain is running on v0.45 or below with backported features from SDK modules and you are concerned about being vulnerable to this issue, please reach out to barberry@amulet.dev where members of the Informal Systems and Amulet teams will be on hand to help identify, if your chain is vulnerable and to assist with patching.

Beyond this, every key repo has a security.md file with the latest and most accurate process for reporting vulnerabilities, e.g. https://github.com/cosmos/gaia/blob/main/SECURITY.md

3

As you know we’ve been having a conversation about this for a few days now, and it’s worrisome that there actually was not an answer to that question that could be given with any clarity or definition.

basically there’s really just one question at play here with some teeny context

Context:

  • at barberry I was told by many that Amulet would be the security point of contact going forward, and this information came from ICF team members and ICF funded teams.

  • when I asked about this a few days ago, no one could answer my question as to weather or not Amulet was a security point of contact

  • It is dangerous to have a lack of clarity and definition around who is the security point of contact, and for the ICF and teams that are funded by the ICF to provide inaccurate security point of contact information.

Question:

  • Should teams contact Amulet to report security issues? (since your reply, I am surely even less sure of the answer to this question)
4

I want to mention that I’ve been informed that there’ll be a response from the ICF by today.

5

I do understand what you’re saying though it doesn’t jibe with what I remember. Anyhow it is certainly not what some others are saying which is why I’m seeking clarity on the matter.

Thank you.

6

Bump.

@Syed @ebuchman – I would like to know if amulet is a security plate of contact and for what, if they are.

7

Is anybody able to clarify this item for me?

I’m getting markedly different answers depending on who I speak to.

8

@jacobgadikian this has been something that was in the works for sometime, but not finalised, hence the lack of clarity. Seems that it has been finalised, see the Amulet announcement from the ICF:

1 Like
9

Thanks!

I very much appreciate the clarity.

10

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.