Separated in sections

Author: CvH

docs/security/bestpractices.md

@@ -12,5 +12,5 @@ https://hackenproof.com/polygon-technology/polygon-pos
 ### HackerOne
 https://hackerone.com/polygon-technology
 
-## Responsable Disclosure
+## Responsible Disclosure
 security@polygon.technology

docs/security/bugbounty.md

@@ -0,0 +1,7 @@
+Polygon Labs' security program is designed and implemented following the ISO/IEC 27001 standards, an internationally recognized framework for managing and securing sensitive information assets. By adhering to these standards, Polygon Labs demonstrates a strong commitment to the protection of its clients' and employees' data, ensuring that confidentiality, integrity, and availability are maintained at all times.
+
+The ISO27001-based security program at Polygon Labs involves the establishment of an Information Security Management System (ISMS), which is a systematic approach to managing sensitive information and minimizing risk. This includes conducting regular risk assessments to identify, analyze, and evaluate potential threats and vulnerabilities, as well as implementing appropriate security controls and measures to mitigate those risks.
+
+In addition to risk assessments, Polygon Labs' ISMS incorporates a comprehensive set of policies, procedures, and guidelines that cover various aspects of information security, such as access control, incident management, and business continuity planning. Employee training and awareness programs are also an integral part of the security program, ensuring that staff members understand their roles and responsibilities in safeguarding the organization's information assets.
+
+Polygon Labs has a security team led by a CISO reporting to founders.

docs/security/governance.md

@@ -0,0 +1,15 @@
+Polygon supports onboarding and offboarding employees by following a process that begins with each employee receiving a preconfigured laptop that auto enrolls in one of our Mobile Device Management Systems (MDM). MDM supports control of application usage and enforces security policy requirements on approved operating system versions and patch requirements.  User access to shared services and Polygon approved SaaS tools is aligned with the secure approach of providing the least amount of privileges required for an employee to perform their tasks.  Privileges are role based and given to each employee based on the functional team they are assigned to.   
+
+Polygon uses single sign-on technologies to automate the administration of users access and permissions across all of our SaaS tools.  Automating the provisioning and removal of users' access privileges limits the risk of human error and supports efficient auditing procedures. 
+
+When an employee exits the company, HR changes their status in our HRIS system,automatically removing their access to our SSO integrated SaaS platforms, and IT is immediately notified to initiate the wipe and recovery of their corporate system.  
+
+### Security Awareness Training
+
+Polygon utilizes a SaaS platform to provide an integrated approach to email and security awareness training for all of our employees.  All employees are required to pass the training during their first weeks of employment.  The key features of the platform are::
+  
+- **Industry-specific modules** - Reinforce critical concepts mapped to key industry standards and security frameworks, including ISO, NIST, PCI DSS, GDPR, and HIPAA
+- **Real-world assessment** -  Safely test employees on real-world threats with de-weaponized phishing attacks
+- **Comprehensive reporting** - Track primary indicators of risk across the awareness training platform and take remedial action with easily discernible user risk scores
+- **Integrated risk insight** - Leverage real-world click behavior to identify high risk users
+- **Effortless administration**- 12-month programs with rapid deployment. 

docs/security/hr.md

@@ -0,0 +1,23 @@
+### Polygon Bridge Security
+
+Polygon develops and maintains bridges to transfer assets to-and-from the Ethereum blockchain for both the Polygon PoS network and Polygon zkEVM scaling solution. These bridges implement a lock-and-mint architecture which results in assets being controlled (locked) by the bridge smart contract implementations. As the aggregate value of locked assets on Polygon bridges is significant, we apply a corresponding focus on bridge security. Much of the security efforts documented here are rigorously applied to bridge security, including risk management, secure software development practices, auditing, vulnerability management, CI/CI and bug bounties. We leverate dedicated on-chain bridge monitoring.
+
+### Bridge Monitoring
+
+The bridge on-chain infrastructure is monitored for real-time events as a way to augment the application security efforts associated with product development (i.e. threat modeling, code auditing, library and supply-chain risk and bug bounties). The real time monitoring includes both on-chain machine learning models to detect unknown threats in real time as well as empirical rule-based algorithms to capture known adversarial or error scenarios. 
+
+The monitoring infrastructure was developed both in-house and by vendors as needed to augment our capabilities in specific analysis areas. Any adverse bridge events detected by our models and tools are evaluated, triaged and, if necessary, escalated to the proper team for further analysis. The monitoring process is integrated with our enterprise incident response process for seamless integration with internal processes.
+
+### Multisig Security
+
+Specific requirements are followed by any Polygon Labs employee that is a signer on a corporate multisig contract. Multisig contacts are corporately owned  and control treasury assets or smart contract deployments. They consist of Safes (previously Gnosis Safes) and other smart contract multisig implementations. Hardware wallets are hardware-based cold storage such as Trezor or Ledger devices that store private keys and enable signing multisig transactions offline. Signer multisig requirement include:
+
+- **Hardware Wallet:** Polygon requires Cold storage from an accepted vendor dedicated for company official use only and secured by a PIN
+- **Hot Wallets:** Hot wallets are not allowed for use on Polygon multisigs
+- **Corporate Workstation:** Signing must be performed from a company system  managed by  our enterprise mobile device management (MDM) platform  complete with anti-virus (AV) and endpoint detection and device (EDR).
+- **Clean Key:** All signers are required to create a clean key that has never been exposed to a hot wallet
+- **Mnemonic Storage:** Polygon mandates safe storage of mnemonic passphrases and provides guidance to its employees
+- **Secure Communication:** All multisig signing events are coordinated using Polygon’s accepted communication protocols for multisigs.
+
+**All corporate multisigs are monitored 24/7 by the Polygon security team.**
+

docs/security/infrastructure.md

@@ -0,0 +1,22 @@
+**Logging**
+
+Polygon Labs leverages a variety of SaaS and bespoke infrastructure. Where audit logs are provided from those services, they are collected into a centralized repository and stored for a minimum of 30 days to support investigations should a security incident arise.
+Logs are reviewed automatically for anomalies to feed Polygon Labs' threat detection models.
+
+**Monitoring**
+
+Polygon Labs relies on a variety of sources generating alerts for potential security incidents. Those sources include, but are not limited to, Google Workspace, Falcon CrowdStrike, AWS GuardDuty, GCP Security Command Center, Cloudflare, and Okta. Every system with built in anomaly or threat detection directs their findings to a centralized SIEM, Coralogix, for our security analysts to review.
+
+Polygon Labs has security analysts distributed globally to help ensure timely triage of security alerts.
+
+**Incident Response**
+
+Polygon Labs established an incident response policy and process modeled after industry best practices. We designate key people to act as subject matter experts to join the incident response team as needed depending on the nature of a given cyber security incident. We also leverage third-party agencies to complement our incident response team from top tier security vendors.
+
+The life cycle of a cyber security incident begins with detection and discovery. At Polygon Labs we leverage a variety of tools such as anti-virus, endpoint detection and response, network intrusion detection, phish screening and anomaly detection to help ensure we identify potential cyber security events early. We also provide our employees and community with mechanisms to proactively report suspicious activity including a ticketing system, instant messaging channels and a dedicated phone number for emergencies.
+
+When an incident is identified the security operations team performs triage and draws on our roster of subject matter experts to help with investigation and analysis. If an incident is declared a true positive we move from analysis to containment, remediation and recovery. Along the way, we document the timeline of the incident and preserve evidence. Our incident response team works closely with our legal and compliance teams to help ensure we take the correct steps in handling information that may be required for legal or regulatory responses.
+
+Polygon Labs carefully considers when, how and who to communicate with during incident response. Impacted stakeholders are sent notifications in a timely manner to ensure they can take reasonable steps to protect their information if necessary. Polygon Labs also makes every effort to work with law enforcement to the degree required by the laws of the jurisdictions that we operate in, which may be different depending on the nature of the cyber security incident.
+
+In order to ensure the incident response process remains relevant, we conduct regular incident response exercises if no real security incident has occurred after a given period.