Change CodeQL

.github/workflows/codeql-analysis.yml

@@ -13,10 +13,13 @@ jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
       with:
         # We must fetch at least the immediate parents so that if this is
         # a pull request then we can checkout the head.
@@ -29,15 +32,15 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@v3
       # Override language selection by uncommenting this and choosing your languages
       # with:
       #   languages: go, javascript, csharp, python, cpp, java
 
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      uses: github/codeql-action/autobuild@v3
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -51,4 +54,5 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@v3
+

SECURITY.md

@@ -1,31 +1,31 @@
-# RSK's Security Process
+# Token Bridge's Security Process
 
 We're committed to conduct our security process in a professional and civil manner. Public shaming, under-reporting or misrepresentation of vulnerabilities will not be tolerated.
 
 ## Responsible Disclosure
 
-For all security related issues, RSK has to main points of contact. Reach us at <security@iovlabs.org> or refer to our [Bug Bounty Program.](https://www.rsk.co/bounty-program/) **Do not open up a GitHub issue if the bug is a security vulnerability.**
+For all security related issues, Token Bridge has to main points of contact. Reach us at <security@rootstocklabs.com> or refer to our [Bug Bounty Program.](https://www.rootstocklabs.com/bug-bounty-program/) **Do not open up a GitHub issue if the bug is a security vulnerability.**
 
 **Ensure the bug was not already reported** by searching on Github under [Issues](https://github.com/rsksmart/tokenbridge/issues).
 
 ## Vulnerability Handling
 
 ### Response Time
 
-RSK will make a best effort to meet the following response times for reported vulnerabilities:
+RootstockLabs will make a best effort to meet the following response times for reported vulnerabilities:
 
-* Time to first response (from report submit) - 24 hours
-* Time to triage (from report submit) - 2 business days
+* Time to first response (from report submit) - 5 business days
+* Time to triage (from report submit) - 7 business days
 * Time to bounty (from triage) - 15 business days
 
 We’ll try to keep you informed about our progress throughout the process.
 
 ### Disclouse Policy
 
 * Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).
-* Public disclosure of a vulnerability makes it ineligible for a bounty. If the user reports the vulnerability to other security teams (e.g. Ethereum or ETC) but reports to RSK with considerable delay, then RSK may reduce or cancel the bounty.
+* Public disclosure of a vulnerability makes it ineligible for a bounty. 
 
-For more information check RSK bounty program policy at [HackerOne](https://hackerone.com/iovlabs)
+For more information check RootstockLabs bounty program policy at [HackerOne](https://hackerone.com/rootstocklabs)
 
 ## Public Keys