Create SECURITY.md (#137)

add security.md

---------

Signed-off-by: Kenny P <[email protected]>

.github/pull_request_template.md

@@ -0,0 +1,45 @@
+<!-- < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < ☺
+v                               ✰  Thanks for creating a PR! ✰
+v    Before smashing the submit button please review the checkboxes.
+v    If a checkbox is n/a - please still include it but + a little note why
+v    If your PR doesn't close an issue, that's OK!  Just remove the Closes: #XXX line!
+☺ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >  -->
+
+Closes: #XXX
+
+## What is the purpose of the change
+
+> Add a description of the overall background and high level changes that this PR introduces
+
+*(E.g.: This pull request improves documentation of area A by adding ....)*
+
+## Testing and Verifying
+
+*(Please pick one of the following options)*
+
+This change is a trivial rework / code cleanup without any test coverage.
+
+*(or)*
+
+This change is already covered by existing tests, such as *(please describe tests)*.
+
+*(or)*
+
+This change added tests and can be verified as follows:
+
+*(example:)*
+  - *Added unit test that validates ...*
+  - *Added integration tests for end-to-end deployment with ...*
+  - *Extended integration test for ...*
+  - *Manually verified the change by ...*
+
+## Documentation and Release Note
+
+  - [ ] Does this pull request introduce a new feature or user-facing behavior changes?
+
+
+Where is the change documented?
+  - [ ] Specification (`x/{module}/README.md`)
+  - [ ] Allora documentation site `docs.allora.network` source code at: `https://github.com/allora-network/docs`
+  - [ ] Code comments?
+  - [ ] N/A

SECURITY.md

@@ -0,0 +1,72 @@
+# Security Policy
+
+## Introduction
+
+Security researchers are essential in identifying vulnerabilities that may impact the Allora ecosystem. If you have discovered a security vulnerability in the Allora chain or any repository managed by Allora, we encourage you to notify us using one of the methods outlined below.
+
+### Guidelines for Responsible Vulnerability Testing and Reporting
+
+1. **Refrain from testing vulnerabilities on our publicly accessible environments**, including but not limited to:
+  - Allora mainnet
+  - any Allora-affiliated frontends e.g. allora.network, alloralabs.xyz
+  - Allora public testnets
+  - Allora testnet frontend
+
+2. **Avoid reporting security vulnerabilities through public channels, including GitHub issues**
+
+## Reporting Security Issues
+
+To privately report a security vulnerability, please choose one of the following options:
+
+### 1. Email
+
+Send your detailed vulnerability report to `[email protected]`.
+
+### 2. GitHub Private Vulnerability Reporting
+
+Utilize [GitHub's Private Vulnerability Reporting](https://github.com/allora-network/allora-chain/security/advisories/new) for confidential disclosure.
+
+## Submit Vulnerability Report
+
+When reporting a vulnerability through either method, please include the following details to aid in our assessment:
+
+- Type of vulnerability
+- Description of the vulnerability
+- Steps to reproduce the issue
+- Impact of the issue
+- Explanation of how an attacker could exploit it
+
+## Vulnerability Disclosure Process
+
+1. **Initial Report**: Submit the vulnerability via one of the above channels.
+2. **Confirmation**: We will confirm receipt of your report within 48 hours.
+3. **Assessment**: Our security team will evaluate the vulnerability and inform you of its severity and the estimated time frame for resolution.
+4. **Resolution**: Once fixed, you will be contacted to verify the solution.
+5. **Public Disclosure**: Details of the vulnerability may be publicly disclosed after ensuring it poses no further risk.
+
+During the vulnerability disclosure process, we ask security researchers to keep vulnerabilities and communications around vulnerability submissions private and confidential until a patch is developed. Should a security issue require a network upgrade, additional time may be needed to raise a governance proposal and complete the upgrade.
+
+During this time:
+
+- Avoid exploiting any vulnerabilities you discover.
+- Demonstrate good faith by not disrupting or degrading Allora's services.
+
+## Severity Characterization
+
+| Severity     | Description                                                             |
+| ------------ | ----------------------------------------------------------------------- |
+| **CRITICAL** | Immediate threat to critical systems (e.g., chain halts, funds at risk) |
+| **HIGH**     | Significant impact on major functionality                               |
+| **MEDIUM**   | Impacts minor features or exposes non-sensitive data                    |
+| **LOW**      | Minimal impact                                                          |
+
+## Bug Bounty
+
+Though we don't have an official bug bounty program, we generally offer rewards to security researchers who responsibly disclose vulnerabilities to us. Bounties are generally awarded for vulnerabilities classified as **high** or **critical** severity. Bounty amounts will be determined during the disclosure process, after the severity has been assessed. Please note that in order to collect a bounty, the reporter must go through a KYC process.
+
+> [!WARNING] 
+> Targeting our production environments will disqualify you from receiving any bounty.
+
+## Feedback on this Policy
+
+For recommendations on how to improve this policy, either submit a pull request or send an email to `[email protected]`.