public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Antoine Riard <antoine.riard@gmail•com>
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Subject: [bitcoindev] Re: Bitcoin Core Security Disclosure Policy
Date: Wed, 3 Jul 2024 10:20:06 -0700 (PDT)	[thread overview]
Message-ID: <2414b7a9-3f38-4641-a2c5-58aa37691fe5n@googlegroups.com> (raw)
In-Reply-To: <rALfxJ5b5hyubGwdVW3F4jtugxnXRvc-tjD_qwW7z73rd5j7lXGNdEHWikmSdmNG3vkSOIwEryZzOZr_DgmVDDmt9qsX0gpRAcpY9CfwSk4=@protonmail.com>


[-- Attachment #1.1: Type: text/plain, Size: 3719 bytes --]

Hello Antoine,

For information the lifecycle of each bitcoin core release has been updated 
with EOL dates for each version:
https://bitcoincore.org/en/lifecycle/

That way it's great if you plan to throw bitcoin core or some of its 
components on secure hardware env, where lifecycles can be harder to manage.

True thanks the six of you for all the work done on putting in place a 
better disclosure policy.

Best,
Antoine (the other one)
Le mercredi 3 juillet 2024 à 14:10:10 UTC+1, Antoine Poinsot a écrit :

> Hi everyone,
>
> We are writing to announce the policy Bitcoin Core will be using for 
> disclosing security vulnerabilities.
>
> The project has historically done a poor job at publicly disclosing 
> security-critical bugs, whether externally reported or found by 
> contributors. This has led to a situation where a lot of users perceive 
> Bitcoin Core as never having bugs. This perception is dangerous and, 
> unfortunately, not accurate.
>
> Besides a better communication of the risk of running outdated versions, a 
> consistent tracking and standardized disclosure process would set clear 
> expectations for security researchers, providing them with an incentive to 
> try finding vulnerabilities *and* to responsibly disclose them. Making the 
> security bugs available to the wider group of contributors can help prevent 
> future ones.
>
> Over the past months, we've worked on setting this up. Here is the 
> disclosure policy we came up with.
>
> When reported, a vulnerability will be assigned a severity category. We 
> differentiate between 4 classes of vulnerabilities:
> - **Low**: bugs which are hard to exploit or have a low impact. For 
> instance a wallet bug which requires access to the victim's machine.
> - **Medium**: bugs with limited impact. For instance a local network 
> remote crash.
> - **High**: bugs with significant impact. For instance a remote crash, or 
> a local network RCE. 
> - **Critical**: bugs which threaten the whole network's integrity. For 
> instance an inflation or coin theft bug.
>
> **Low** severity bugs will be disclosed 2 weeks after a fixed version is 
> released. A pre-announcement will be made at the same time as the release.
>
> **Medium** and **high** severity bugs will be disclosed 2 weeks after the 
> last affected release goes EOL. This is a year after a fixed version was 
> first released. A pre-announcement will be made 2 weeks prior to disclosure.
>
> **Critical** bugs are not considered in the standard policy, as they would 
> most likely require an ad-hoc procedure.
>
> Also, a bug may not be considered a vulnerability at all. A reported issue 
> may be considered serious yet not require an embargo.
>
> This policy will be gradually adopted in the coming months. Today we will 
> disclose all vulnerabilities fixed in Bitcoin Core versions 0.21.0 and 
> earlier. Later in july we will disclose all vulnerabilities fixed in 
> Bitcoin Core version 22.0. In august, all vulnerabilities fixed in Bitcoin 
> Core version 23.0. And so on until we run out of EOL versions to disclose 
> vulnerabilities for.
>
> Please let us know if this policy may have a significant negative impact 
> for you.
>
> Anthony, Antoine, Ava, Michael, Niklas and Pieter.
>

-- 
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/2414b7a9-3f38-4641-a2c5-58aa37691fe5n%40googlegroups.com.

[-- Attachment #1.2: Type: text/html, Size: 4272 bytes --]

  reply	other threads:[~2024-07-09  1:16 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-07-03 12:57 [bitcoindev] " 'Antoine Poinsot' via Bitcoin Development Mailing List
2024-07-03 17:20 ` Antoine Riard [this message]
2024-07-04  0:44 ` [bitcoindev] " Eric Voskuil
2024-07-04 14:34   ` Antoine Riard

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2414b7a9-3f38-4641-a2c5-58aa37691fe5n@googlegroups.com \
    --to=antoine.riard@gmail$(echo .)com \
    --cc=bitcoindev@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox