fixed typocs and style

Author: CvH

docs/security/bugbounty.md

@@ -1,16 +1,13 @@
-### Immunefi
+## Immunefi
 https://immunefi.com/bounty/polygon
 
 https://immunefi.com/bounty/polygonzkevm/
 
-### Hexens
+## Hexens
 https://r.xyz/program/f86864f2-8e7b-443a-84fe-cc0925f06221
 
-### HackenProof
+## HackenProof
 https://hackenproof.com/polygon-technology/polygon-pos
 
-### HackerOne
-https://hackerone.com/polygon-technology
-
-## Responsible disclosure
-security@polygon.technology
+## HackerOne
+https://hackerone.com/polygon-technology

docs/security/contact.md

@@ -1,3 +1,2 @@
-# Contact us
-Polygon Labs Security organization is happy to talk to you. Feel free to reach out to us at:
+Polygon Labs security organization is happy to talk to you. Feel free to reach out to us at:
 security@polygon.technology

docs/security/disclosure.md

@@ -0,0 +1,104 @@
+Email to: security@polygon.technology
+
+## PGP public key
+
+```
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: Keybase OpenPGP v2.0.76
+Comment: https://keybase.io/crypto
+
+xsFNBGUT/qEBEADieeiOhgfHn8KtAz+r9zAig3aiBlj2CxBwATVYUK9jDm+4SdHu
+godygYTPfhToHlRv/yptDUNRIHbNeqg1iZNcsgi0+uSZ8fvmyfSbnZC3WMJSUE8z
+d+C9h6/Oh50YfHbPCUu3UtU4BWzhTrvhxdPcwq4epsguiolDEP4Um8B8iCbbfJGw
+zbguT8o4qg/EYyEI6fTtnAOHx6489GD/7b3WCgrVcy5s6XSXpw3X+eQE8B2nbWTg
+Cahn6I5CPO/ZUhQ+Ma/3uRcLcQzhLC3IgTzjdTYHAbRgKurTPllZrOOAh4/FG4rY
+XzQRJ9DtxSvnTZXXlV5GE4Grfut9sHAVk/dN9CYMlgvohp5gutH+T9sUO2NEAlMu
+S0slJctr0RCs+9Nl60DxtvBz3lMgJksiS/HugE34gEcVPr7QfklHXlqsnhbDJPNo
+U+DQdCyondqmWlXYhXYLMea70nKA6YyINcavoexb5DGn+Gy2cf+3co4prF/QblBr
+eKy2MBGPvjXD/GC2QOS1YephQwICfFk+VoE9Gk3gIu6yXKEp+nteUGxgvCRuYF0Z
+HvixeNAvGchdxiCFoH6fMtrvutW0QOjGKLJu1p6aFkWR93Dd7gduJupwlt/RYDNG
+7stxUZu9pVbL9mI8KPkGdOBlC8yPjCvWBeQwmCSMt1hPG1A1plPNSDKFywARAQAB
+zS5wb2x5Z29uLXNlY3VyaXR5IDxzZWN1cml0eUBwb2x5Z29uLnRlY2hub2xvZ3k+
+wsF6BBMBCgAkBQJlE/6hAhsvAwsJBwMVCggCHgECF4ADFgIBAhkBBQkAAAAAAAoJ
+EIXYxnZoYpdPnSgP/0fcF7sksnjlgVHSRp+w3veWbPHDphpWZC4mhRDPHE77Elem
+25kWB3k75KW5JhH/pCtimO5mfM8G2WKSH5rQ1FU1t58vZfH6iEJWYzEAObzWfvak
+QLXCJ3LV4AKAomIMNp7m/+ZtoD5qTE4HICITJFIVLcpu51AIhZuC757ivujuqLUK
+PhzdDCC0a6JSlFunqi50ZBAEgdAuDgl0NHpYf09r3T5tw/0ByvBsjqxLYhe/Aazj
+yq5JVa6nV5ka8B/tIeP6kWEs1a82+RgyKHns+O4OFmZN7QxURXQHmaB/+tLoSNth
+PBZs/W8GGICa3MDrlyDkCl+b+WleIGlDbTyOzk7FRq39OBo0VelIxML51I7wQjw8
+07dt3bzO+c2vo87dXIOAXFbxHhL/nJyI83XwQ1hCwSRutb7P8j/VveFCfkIw6e/h
+3lgW5lSgJUg3TSon+2RJaF+STCV1edTYM1/YYtqiIJidyC/McIUZTH5oMLNbECTy
+gF9dfk15glIa6d+26zhw+q/jmx534JMdyv6a4n9WvE/diDCq0woEetoMfF95qP0j
+F3qqQvw0yhMmMg8sx+7br40SEFbeEG5SoIVAuMQtxBDCQzaEuLtUjX3iJqv9aP1V
+vqyXZqJjjLZEm9BryBWsmYT/5UHMegcElHkcEYRIG8BSyMhklNzXTtUUbzsVzsFN
+BGUT/qEBEADAB1oI85wHe84DNKU95lzuZ/DZx8sbTT1GE+N4scgxAd8knJLof/a+
+lU7yxuVON0iEnq08r1LHI5cEsdAWu8v8Yv0hbXR3jzryZXIjkEi6mXhujzzw/Ghz
+ACXvwS6RuYNZEemDg/cYN6N8i/olGEZNuDmKbD9nVoy0eEmefXD/JQGiLFJ7yvei
+ou7vwHP6LxzBkcb/g4n4i1TBLGqeJJGtQrtwVlwrD6NE3/ERO8U7biZ3TD6jLBWm
+fWSI5IYN+4PUrCttLGri+TOwtVs1rl2bBMaj+InMm9bj5WjJF+XVKZQMoZln+Qn2
+AkqT2PR9PaqrxCEuPehc/Iyfr1f4Fy3xHxkU5trh3e9TiAvGNQp8Pt1N0SAqZwu6
+zg+0Nfh2ep/7SEeKpNEH7vj36DJoCXWaLuiD1GFW2QyyNslGoH/2+T0Oow03l5cA
+H45SEXyezzHxUKtjv5/EFbIFsPKbOGqqZqxc+X4JHbU+kCHzVL9XMak31uBZ1vD+
+2oLWSbsnoCjHYyiJBhwsJ0NpIxfYQdTzQFtTk3vQACCF8BTMJ0+s+MAeFFeJC8by
+Ew6MXpHGLjONIbu659kteEojuJIGGdgYTKlF5/0zZdVtz8MqvSio1baZMhw9V9HI
+nS0zcWWGH94/R0/lkoYqeEbUJ4bzMHI/YHB70hL1lV3CaVJ7eV2VYwARAQABwsOE
+BBgBCgAPBQJlE/6hBQkAAAAAAhsuAikJEIXYxnZoYpdPwV0gBBkBCgAGBQJlE/6h
+AAoJEAZbSlMNXOyEN1YQAIs/t82MftZrLt6UKOlyKMG0mwXey/NTWYNs34J/+Eqj
+fY9f5PVHQmpm4keuYGvrqDAVXxqmFEgsbRR62QBSDIX1RtZnjZ3K0cfI6hDNgQiE
+VWlDLaXIB+ewQBUKynjMP2blJCrT3/THcQVqhNRP+0I07Qt+UMOTfxJJL92sgsEW
+lm4b+5+0BZQDYApA7LzSeB3yOqWCBdBxYrVRFOAGE8WuorawaTJPVdXvuH1OrM7z
+9SrfpANjX0/Azs4QoRzH3w0zKn03fJlLZ2CT8j+ZvIW3/rXFYQ8yt8pg2Fs6Fb5X
+PzFWuboAbnCmcTvGIW+05FeGcOqS5qQIPt4oMyanQ29/SLhnWule6KP3JjmRo1gZ
+kCFgkCKpO36kw9Yd6Anuiau70Y+rOKQNRxD03DdDvQclAvTgOIej+fgFiC/nrM8q
+D05UdOaWD64ci2gb6OP+YyLeWfj2S2EKnBGCLwODIu10o9SyJ+DGIYn1cdjlAw3J
+cVed3hBsMkE2D1+HAA6IpfqDr17hRxFYGEvmEaOI8LlCKuLbjkbPUHsVR0IKNn/t
+rE0sL6ZI2tBLIBX6C7fJBds4JwO+ClM5pOVaJrDKUvWSW7RZnejFOV3+TkHX3J5T
+CiFzBUcoWncNAg6ikcRLPcNNbfV1HcY3AGqQgW29TowbgE+donrJJU6qvR0vsQp6
+LiMQAMvEG6MqiJN6bLeWs2Sh87FZIgeacFYOVteAwXFRPgYYOYEPaKjtkAGxOTe2
+AzvGnQY8Tu2jsJN2URPYwWrhEhX16jqOc+mCFRQBy4aNczMw2au8bhylG323mfxB
+ODzMKKXmBCFYSYSqIy86nrKgLoXWKmVOkfhRRboDoeBbsbH78P7LIYpODNZfbuu3
+JlhJb5yTEbxdoqmc8af07YVzNi2wYemi0NWxhj2gOjwR7l24hKw9w++ILuiymCHw
+z/QE1myDAI1aLoF+laA8vN929FkW7YQ7IEJhvdlCWY57bkwZKrBysth7Gwc8EEf5
+Nt/9d2CoU2w9nRkg0w40ysOXDmHOoJ3vNK+6U0egZJ2qmqX77QSuKgVlKPjTdTjB
+4dg2oqjfPyKFGi8yBgU7p4SHF8iTpQsUlMR1WtkVApUDsRhHmaxBvwxRmXL7Q+Zi
+SmD9YW4/gG9MB4zvQzHXIKjyrWjQ8VtNqWy8mXpW4UbTC4ao/VRGtvKC6lE8z4Wm
+WD0ByLEAyTlxZZpl8EOppNStlnU/FvopSAc8tf+1GeAW5alqlx779k4zOmyAstw5
+DqB86JFVJ6Q1VD4Z3DMUj1lXjmVl9FYbpaGuyiBrVVE6+b6+n5/Vd7MxzigpaHEl
+LYZgB/Wh+XOABv1JUwIVT+J+6fJXw6rnFfnoXYW40Yr9k9j0zsFNBGUT/qEBEADC
+w4vhyYyLemG7AWiQYP7SD4v20gxZdf3J9bKko25s7iEerP1t3lKw2FjUNwH3ePcH
+8MJnmOkHt3R+nNXlN90ZFkI72QxZBttQfCxP8hmuGrJ1T2rE/DBNI0msFaomS4yH
+3CLMHn6SWyUxaz0mRkb5nhgfTh3L4Lr99HPR8wYBNkdqLzzlCRs9fzO5Ib4rasNl
+S5UF93C7O5LP17Q0AEwJJk1h8rn/2W9vwew5upR09Xu2kRZxTwhJgn9CQCtycyNu
+kLUjAzdF9QPTPKr2KsLvM5V51oQBQjffcNKmUy/wrVcEIROaYjTW3nYDzvraB/rY
+t9uWgbFBKC2NaZdA6488WIMfnhDf6MAJ9fTL7X5bdo2Gu0BrlDK9+8UV2xEHhs8W
+z0D6AiLjS9tDkQSIv8JA/lhu7KD6sCAXidHwa3sBr1mI1vut2VW3lHrrccBspvad
++4S1AqTUnNo8NdOBGCk0UXkuhYkBko/wmYuF2AMxGnLGm3gogLMwGDORLcb53dYf
+Y+Hff98KcIdMMrQI4njEPsS32Boj/Vmq1aSVry3UqbGaqAoeD2de6uNStE21YQ+L
+L4+WFfdFV6/DhggpxqcXFC9CumqqaABhGbgPb81JJXH0GQtPriE89sbOAzLpnEcD
+OW3eaf69hhwn3wItJAwxNMnm/LAJTFLRwrWF5411fQARAQABwsOEBBgBCgAPBQJl
+E/6hBQkAAAAAAhsuAikJEIXYxnZoYpdPwV0gBBkBCgAGBQJlE/6hAAoJEGvxxkyI
+0skB/jwP/iFfYseztT4d73hg5+zMTNDD4C2KQHwKcChL95p9ihc3VCrlRZyrEV8k
+hQ5GVb3pHaaNs2FCM71lWx7OQsW+I5Ki6Kz6cgwQXi4Uojq59gxs1pX1MDMzhK6C
+C877i4Mm/3IatXTnqGBezIjXeJnF9TFoDRjDSqybPXaDkE4THyINmQ0jFEf6u/uB
+7BzrZonLgC6JrrrqYeuwRV2XRNDLeu4hdlvy6HlzfsNT00R5hDhWaAcx9OkBmIiB
+udkURWNtPTlFZqrg+H0kOrlpGKanJXh89CwXuXqb72HIuQlJq//KROIdo3z+a2Pb
+DX7/cZwY79AVUVsfj3HOk2BeCAsczR/djxhfXRc84zMf0hTQXHCpy6ICIghBVvx5
+CA9iZZm6mtjlzv42Yl5NLcKiDf/ItKa5/GfjS9PVRsh55a8zxh6T8oWWZ0ZiIJw/
+VMmA+DRYqsv9F83v0QiaiJhwCvmLM/f6ipuxocG5z0FuG2vrCnl+CNhi9bulqLuo
+2Pl/H1VTnod7ez4cGu+a9943836HpESqhxBOLxmwhCd5chorlgKR2ihCbPZDuVPN
+baOIgul69hUUumZUVYFD22oKqZvbpjmGtvGdSrC8FrraZ0iXnhseT2efJdAUELIg
+sZ9kgy1RG9VV3AQJ5cBTQswtlCzzyEJpyZi0m6jL3VcHullHEf8LAhwP/1y5bEDl
+3EJapzt2/OyK4/kBUawHhiQlHaKXG6lXabB3dd2RGhWzicSm3UVWUmj8tfBnzX1Y
+EvpshbWLgWNHrCIVRmNizav3ucBRAx9q1m38l2GsnhjpHwfw8r4JjQWI5QjaJap9
+tXGa3QmxAaBdJwWTorA4ljHczLNx864r5g9dvKM0ZlN40/gsA8hwkSFUKVeE1Bpv
+n3lGI4JhIS+UkiVCY898iWh91Y6ejfuwX7INs8+wbcl5siCJ/OZyFG3XMsBpHN2f
+d2LJEF+/NB9id+QUcmfQ5iVYrAEs0ijdsfJWhnQ04ey8Y4eBSc4R/60xBjMC1j9S
+3aYRoKZ2BwFnBO03jWzJ+0diFI0IpptwxjpxZz94nHP28yzZo3yE7f39Yzxw4npm
+ShHGXLZY/KxmlRRK2vy5aEBTulVfPRfmviIhhOBB1D6L6GKTMrNKa6rhKu2G9LnS
+ein+koIWj0cDrX70HVDTB3h7O8+He28585v3vk857wtRQlQsBBg7uxhVRsfeB6hr
+dRFO6MFchft3GAyQ+aqu9/7yz/wtiUyUDI8xzM20YasGWI4ZnphY1URU2l21mQpO
+I+LkrR21rOViAoGmcaHFSjv5Jp7jJjy6OXtJpIPV9u6qC8iRYCLpwErGSZzDZiiS
+67X82D4gEsDLNjvjV4l7cn+CenuCWV+WFAOE
+=dn2w
+-----END PGP PUBLIC KEY BLOCK-----
+```

docs/security/hr.md

@@ -4,12 +4,12 @@ Polygon uses single sign-on technologies to automate the administration of user
 
 When an employee exits the company, HR changes their status in our HRIS system, automatically removing their access to our SSO integrated SaaS platforms, and IT is immediately notified to initiate the wipe and recovery of their corporate system.  
 
-### Security awareness training
+## Security awareness training
 
-Polygon utilizes a SaaS platform to provide an integrated approach to email and security awareness training for all of our employees.  All employees are required to pass the training during their first weeks of employment.  The key features of the platform are:
+Polygon utilizes a SaaS platform to provide an integrated approach to email and security awareness training for all of our employees. All employees are required to pass the training during their first weeks of employment. The key features of the platform are:
 
-- **Industry-specific modules** - Reinforce critical concepts mapped to key industry standards and security frameworks, including ISO, NIST, PCI DSS, GDPR, and HIPAA
-- **Real-world assessment** -  Safely test employees on real-world threats with de-weaponized phishing attacks
-- **Comprehensive reporting** - Track primary indicators of risk across the awareness training platform and take remedial action with easily discernible user risk scores
-- **Integrated risk insight** - Leverage real-world click behavior to identify high risk users
-- **Effortless administration** - 12-month programs with rapid deployment
+- Industry-specific modules: Reinforce critical concepts mapped to key industry standards and security frameworks, including ISO, NIST, PCI DSS, GDPR, and HIPAA
+- Real-world assessment:  Safely test employees on real-world threats with de-weaponized phishing attacks
+- Comprehensive reporting: Track primary indicators of risk across the awareness training platform and take remedial action with easily discernible user risk scores
+- Integrated risk insight: Leverage real-world click behavior to identify high risk users
+- Effortless administration: 12-month programs with rapid deployment

docs/security/infrastructure.md

@@ -1,23 +1,23 @@
-### Polygon Bridge Security
+## Polygon bridge security
 
 Polygon develops and maintains bridges to transfer assets to-and-from the Ethereum blockchain for both the Polygon PoS network and Polygon zkEVM scaling solution. These bridges implement a lock-and-mint architecture which results in assets being controlled (locked) by the bridge smart contract implementations. As the aggregate value of locked assets on Polygon bridges is significant, we apply a corresponding focus on bridge security. Much of the security efforts documented here are rigorously applied to bridge security, including risk management, secure software development practices, auditing, vulnerability management, CI/CI and bug bounties. We leverate dedicated on-chain bridge monitoring.
 
-### Bridge Monitoring
+## Bridge monitoring
 
 The bridge on-chain infrastructure is monitored for real-time events as a way to augment the application security efforts associated with product development (i.e. threat modeling, code auditing, library and supply-chain risk and bug bounties). The real time monitoring includes both on-chain machine learning models to detect unknown threats in real time as well as empirical rule-based algorithms to capture known adversarial or error scenarios. 
 
 The monitoring infrastructure was developed both in-house and by vendors as needed to augment our capabilities in specific analysis areas. Any adverse bridge events detected by our models and tools are evaluated, triaged and, if necessary, escalated to the proper team for further analysis. The monitoring process is integrated with our enterprise incident response process for seamless integration with internal processes.
 
-### Multisig Security
+## Multisig security
 
 Specific requirements are followed by any Polygon Labs employee that is a signer on a corporate multisig contract. Multisig contacts are corporate-owned  and control treasury assets or smart contract deployments. They consist of Safes (previously Gnosis Safes) and other smart contract multisig implementations. Hardware wallets are hardware-based cold storage such as Trezor or Ledger devices that store private keys and enable signing multisig transactions offline. Signer multisig requirement include:
 
-- **Hardware Wallet:** Polygon requires cold storage from an accepted vendor dedicated for company official use only and secured by a PIN
-- **Hot Wallets:** Hot wallets are not allowed for use on Polygon multisigs
-- **Corporate Workstation:** Signing must be performed from a company system  managed by  our enterprise mobile device management (MDM) platform  complete with anti-virus (AV) and endpoint detection and device (EDR)
-- **Clean Key:** All signers are required to create a clean key that has never been exposed to a hot wallet
-- **Mnemonic Storage:** Polygon mandates safe storage of mnemonic passphrases and provides guidance to its employees
-- **Secure Communication:** All multisig signing events are coordinated using Polygon’s accepted communication protocols for multisigs
+- Hardware wallet: Polygon requires cold storage from an accepted vendor dedicated for company official use only and secured by a PIN
+- Hot wallets: Hot wallets are not allowed for use on Polygon multisigs
+- Corporate workstation: Signing must be performed from a company system  managed by  our enterprise mobile device management (MDM) platform  complete with anti-virus (AV) and endpoint detection and device (EDR)
+- Clean key: All signers are required to create a clean key that has never been exposed to a hot wallet
+- Mnemonic storage: Polygon mandates safe storage of mnemonic passphrases and provides guidance to its employees
+- Secure communication: All multisig signing events are coordinated using Polygon’s accepted communication protocols for multisigs
 
 **All corporate multisigs are monitored 24/7 by the Polygon security team.**
 

docs/security/operations.md

@@ -1,15 +1,15 @@
-**Logging**
+## Logging
 
 Polygon Labs leverages a variety of SaaS and bespoke infrastructure. Where audit logs are provided from those services, they are collected into a centralized repository and stored for a minimum of 30 days to support investigations should a security incident arise.
 Logs are reviewed automatically for anomalies to feed Polygon Labs' threat detection models.
 
-**Monitoring**
+## Monitoring
 
 Polygon Labs relies on a variety of sources generating alerts for potential security incidents. Those sources include, but are not limited to, Google Workspace, Falcon CrowdStrike, AWS GuardDuty, GCP Security Command Center, Cloudflare, and Okta. Every system with built in anomaly or threat detection directs their findings to a centralized SIEM, Coralogix, for our security analysts to review.
 
 Polygon Labs has security analysts distributed globally to help ensure timely triage of security alerts.
 
-**Incident Response**
+## Incident response
 
 Polygon Labs established an incident response policy and process modeled after industry best practices. We designate key people to act as subject matter experts to join the incident response team as needed depending on the nature of a given cyber security incident. We also leverage third-party agencies to complement our incident response team from top tier security vendors.
 
@@ -21,7 +21,7 @@ Polygon Labs carefully considers when, how and who to communicate with during in
 
 In order to ensure the incident response process remains relevant, we conduct regular incident response exercises if no real security incident has occurred after a given period.
 
-**Authentication & Access Control**
+## Authentication & access control
 
 Polygon Labs establishes standards for authentication & access control in its information security policy and information security standards documents.
 

docs/security/overview.md

@@ -2,23 +2,23 @@ At Polygon Labs, ensuring the security of our information systems and safeguardi
 
 ## Commitment to security
 
-**Dedicated security team**
+### Dedicated security team
 
 Security comes first at Polygon Labs and our commitment is proven by our in-house security team of 10+ full-time security engineers & leaders. The team remains involved in the web3 space and together with other major organizations is driving new innovations and best practices for all. 
 
-**Continuous Monitoring**
+### Continuous monitoring
 
 Polygon Labs monitors the bridge and related smart contracts for suspicious activities. Polygon’s in-house security team works alongside the Polygon development teams  and other industry experts to stay updated on known vulnerabilities in the space.
 
-**Periodic Security Assessments**
+### Periodic security assessments
 
 Polygon Labs periodically assesses the security its products and applications through extensive internal testing and external engagements, such as audits and penetration testing. All products and applications have been assessed multiple times to date. Security assessments continue as the ecosystem matures.
 
-**Bug Bounty Program**
+### Bug bounty program
 
 Developers of Polygon have ongoing bug bounty programs on leading Bug Bounty platforms with rewards of up to $1M for reported vulnerabilities in Polygon contracts. It was the most significant bounty program in the web3 community at the time of launch.
 
-**Enable developer community**
+### Enable developer community
 
 Polygon Labs is committed to enabling the developer community, allowing them to surface vulnerabilities and patching them before they are exploited.  Polygon Labs has a strict focus on security in our development lifecycle, heavily testing all code and following best practices and standards such as the Secure Software Development Lifecycle.