* [bitcoin-dev] Responsible disclosure of bugs
@ 2017-09-10 22:03 Simon Liu
2017-09-10 23:02 ` Matt Corallo
0 siblings, 1 reply; 17+ messages in thread
From: Simon Liu @ 2017-09-10 22:03 UTC (permalink / raw)
To: Bitcoin Dev
Hi,
Given today's presentation by Chris Jeffrey at the Breaking Bitcoin
conference, and the subsequent discussion around responsible disclosure
and industry practice, perhaps now would be a good time to discuss
"Bitcoin and CVEs" which has gone unanswered for 6 months.
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-March/013751.html
To quote:
"Are there are any vulnerabilities in Bitcoin which have been fixed but
not yet publicly disclosed? Is the following list of Bitcoin CVEs
up-to-date?
https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures
There have been no new CVEs posted for almost three years, except for
CVE-2015-3641, but there appears to be no information publicly available
for that issue:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3641
It would be of great benefit to end users if the community of clients
and altcoins derived from Bitcoin Core could be patched for any known
vulnerabilities.
Does anyone keep track of security related bugs and patches, where the
defect severity is similar to those found on the CVE list above? If
yes, can that list be shared with other developers?"
Best Regards,
Simon
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [bitcoin-dev] Responsible disclosure of bugs
2017-09-10 22:03 [bitcoin-dev] Responsible disclosure of bugs Simon Liu
@ 2017-09-10 23:02 ` Matt Corallo
2017-09-10 23:28 ` CryptAxe
2017-09-11 2:15 ` Anthony Towns
0 siblings, 2 replies; 17+ messages in thread
From: Matt Corallo @ 2017-09-10 23:02 UTC (permalink / raw)
To: Simon Liu, Bitcoin Protocol Discussion
I believe there continues to be concern over a number of altcoins which
are running old, unpatched forks of Bitcoin Core, making it rather
difficult to disclose issues without putting people at risk (see, eg,
some of the dos issues which are preventing release of the alert key).
I'd encourage the list to have a discussion about what reasonable
approaches could be taken there.
On 09/10/17 18:03, Simon Liu via bitcoin-dev wrote:
> Hi,
>
> Given today's presentation by Chris Jeffrey at the Breaking Bitcoin
> conference, and the subsequent discussion around responsible disclosure
> and industry practice, perhaps now would be a good time to discuss
> "Bitcoin and CVEs" which has gone unanswered for 6 months.
>
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-March/013751.html
>
> To quote:
>
> "Are there are any vulnerabilities in Bitcoin which have been fixed but
> not yet publicly disclosed? Is the following list of Bitcoin CVEs
> up-to-date?
>
> https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures
>
> There have been no new CVEs posted for almost three years, except for
> CVE-2015-3641, but there appears to be no information publicly available
> for that issue:
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3641
>
> It would be of great benefit to end users if the community of clients
> and altcoins derived from Bitcoin Core could be patched for any known
> vulnerabilities.
>
> Does anyone keep track of security related bugs and patches, where the
> defect severity is similar to those found on the CVE list above? If
> yes, can that list be shared with other developers?"
>
> Best Regards,
> Simon
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists•linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [bitcoin-dev] Responsible disclosure of bugs
2017-09-10 23:02 ` Matt Corallo
@ 2017-09-10 23:28 ` CryptAxe
2017-09-11 2:15 ` Anthony Towns
1 sibling, 0 replies; 17+ messages in thread
From: CryptAxe @ 2017-09-10 23:28 UTC (permalink / raw)
To: Matt Corallo, Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 2717 bytes --]
I don't think we should put any Bitcoin users at additional risk to help
altcoins. If they fork the code they are making maintenance their own
responsibly.
It's hard to disclose a bitcoin vulnerability considering the network is
decentralised and core can't force everyone to update. Maybe a timeout
period for vulnerabilities could be decided. People might be expected to
patched before then at which point the vulnerability can be published. Is
that not already sort of how it works?
On Sep 10, 2017 4:10 PM, "Matt Corallo via bitcoin-dev" <
bitcoin-dev@lists•linuxfoundation.org> wrote:
> I believe there continues to be concern over a number of altcoins which
> are running old, unpatched forks of Bitcoin Core, making it rather
> difficult to disclose issues without putting people at risk (see, eg,
> some of the dos issues which are preventing release of the alert key).
> I'd encourage the list to have a discussion about what reasonable
> approaches could be taken there.
>
> On 09/10/17 18:03, Simon Liu via bitcoin-dev wrote:
> > Hi,
> >
> > Given today's presentation by Chris Jeffrey at the Breaking Bitcoin
> > conference, and the subsequent discussion around responsible disclosure
> > and industry practice, perhaps now would be a good time to discuss
> > "Bitcoin and CVEs" which has gone unanswered for 6 months.
> >
> > https://lists.linuxfoundation.org/pipermail/bitcoin-dev/
> 2017-March/013751.html
> >
> > To quote:
> >
> > "Are there are any vulnerabilities in Bitcoin which have been fixed but
> > not yet publicly disclosed? Is the following list of Bitcoin CVEs
> > up-to-date?
> >
> > https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures
> >
> > There have been no new CVEs posted for almost three years, except for
> > CVE-2015-3641, but there appears to be no information publicly available
> > for that issue:
> >
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3641
> >
> > It would be of great benefit to end users if the community of clients
> > and altcoins derived from Bitcoin Core could be patched for any known
> > vulnerabilities.
> >
> > Does anyone keep track of security related bugs and patches, where the
> > defect severity is similar to those found on the CVE list above? If
> > yes, can that list be shared with other developers?"
> >
> > Best Regards,
> > Simon
> > _______________________________________________
> > bitcoin-dev mailing list
> > bitcoin-dev@lists•linuxfoundation.org
> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> >
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists•linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
[-- Attachment #2: Type: text/html, Size: 4113 bytes --]
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [bitcoin-dev] Responsible disclosure of bugs
2017-09-10 23:02 ` Matt Corallo
2017-09-10 23:28 ` CryptAxe
@ 2017-09-11 2:15 ` Anthony Towns
2017-09-11 11:34 ` Alex Morcos
1 sibling, 1 reply; 17+ messages in thread
From: Anthony Towns @ 2017-09-11 2:15 UTC (permalink / raw)
To: Bitcoin Protocol Discussion
On Sun, Sep 10, 2017 at 07:02:36PM -0400, Matt Corallo via bitcoin-dev wrote:
> I believe there continues to be concern over a number of altcoins which
> are running old, unpatched forks of Bitcoin Core, making it rather
> difficult to disclose issues without putting people at risk (see, eg,
> some of the dos issues which are preventing release of the alert key).
> I'd encourage the list to have a discussion about what reasonable
> approaches could be taken there.
That seems like it just says bitcoin core has two classes of users:
people who use it directly following mainnet or testnet, and people who
make derived works based on it to run altcoins.
Having a "responsible disclosure" timeline something like:
* day -N: vulnerability reported privately
* day -N+1: details shared amongst private trusted bitcoin core group
* day 0: patch/workaround/mitigation determined, CVE reserved
* day 1: basic information shared with small group of trusted users
(eg, altcoin maintainers, exchanges, maybe wallet devs)
* day ~7: patches can be included in git repo
(without references to vulnerability)
* day 90: release candidate with fix available
* day 120: official release including fix
* day 134: CVE published with details and acknowledgements
could make sense. 90 days / 3 months is hopefully a fair strict upper
bound for how long it should take to get a fix into a rc; but that's still
a lot longer than many responsible disclosure timeframes, like CERT's at
45 days, but also shorter than some bitcoin core minor update cycles...
Obviously, those timelines could be varied down if something is more
urgent (or just easy).
As it is, not publishing vulnerability info just seems like it gives
everyone a false sense of security, and encourages ignoring good security
practices, either not upgrading bitcoind nodes, or not ensuring altcoin
implementations keep up to date...
I suppose both "trusted bitcoin core group" and "small group of trusted
users" isn't 100% cypherpunk, but it sure seems better than not both not
disclosing vulnerability details, and not disclosing vulnerabilities
at all... (And maybe it could be made more cypherpunk by, say, having
the disclosures to trusted groups have the description/patches get
automatically fuzzed to perhaps allow identification of leakers?)
Cheers,
aj
> On 09/10/17 18:03, Simon Liu via bitcoin-dev wrote:
> > Hi,
> >
> > Given today's presentation by Chris Jeffrey at the Breaking Bitcoin
> > conference, and the subsequent discussion around responsible disclosure
> > and industry practice, perhaps now would be a good time to discuss
> > "Bitcoin and CVEs" which has gone unanswered for 6 months.
> >
> > https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-March/013751.html
> >
> > To quote:
> >
> > "Are there are any vulnerabilities in Bitcoin which have been fixed but
> > not yet publicly disclosed? Is the following list of Bitcoin CVEs
> > up-to-date?
> >
> > https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures
> >
> > There have been no new CVEs posted for almost three years, except for
> > CVE-2015-3641, but there appears to be no information publicly available
> > for that issue:
> >
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3641
> >
> > It would be of great benefit to end users if the community of clients
> > and altcoins derived from Bitcoin Core could be patched for any known
> > vulnerabilities.
> >
> > Does anyone keep track of security related bugs and patches, where the
> > defect severity is similar to those found on the CVE list above? If
> > yes, can that list be shared with other developers?"
> >
> > Best Regards,
> > Simon
> > _______________________________________________
> > bitcoin-dev mailing list
> > bitcoin-dev@lists•linuxfoundation.org
> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> >
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists•linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [bitcoin-dev] Responsible disclosure of bugs
2017-09-11 2:15 ` Anthony Towns
@ 2017-09-11 11:34 ` Alex Morcos
2017-09-11 17:43 ` Daniel Stadulis
2017-09-12 3:37 ` Anthony Towns
0 siblings, 2 replies; 17+ messages in thread
From: Alex Morcos @ 2017-09-11 11:34 UTC (permalink / raw)
To: Anthony Towns, Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 5204 bytes --]
I don't think I know the right answer here, but I will point out two things
that make this a little more complicated.
1 - There are lots of altcoin developers and while I'm sure the majority
would greatly appreciate the disclosure and would behave responsibly with
the information, I don't know where you draw the line on who you tell and
who you don't.
2- Unlike other software, I'm not sure good security for bitcoin is defined
by constant upgrading. Obviously upgrading has an important benefit, but
one of the security considerations for Bitcoin is knowing that your
definition of the money hasn't changed. Much harder to know that if you
change software.
On Sun, Sep 10, 2017 at 10:15 PM, Anthony Towns via bitcoin-dev <
bitcoin-dev@lists•linuxfoundation.org> wrote:
> On Sun, Sep 10, 2017 at 07:02:36PM -0400, Matt Corallo via bitcoin-dev
> wrote:
> > I believe there continues to be concern over a number of altcoins which
> > are running old, unpatched forks of Bitcoin Core, making it rather
> > difficult to disclose issues without putting people at risk (see, eg,
> > some of the dos issues which are preventing release of the alert key).
> > I'd encourage the list to have a discussion about what reasonable
> > approaches could be taken there.
>
> That seems like it just says bitcoin core has two classes of users:
> people who use it directly following mainnet or testnet, and people who
> make derived works based on it to run altcoins.
>
> Having a "responsible disclosure" timeline something like:
>
> * day -N: vulnerability reported privately
> * day -N+1: details shared amongst private trusted bitcoin core group
> * day 0: patch/workaround/mitigation determined, CVE reserved
> * day 1: basic information shared with small group of trusted users
> (eg, altcoin maintainers, exchanges, maybe wallet devs)
> * day ~7: patches can be included in git repo
> (without references to vulnerability)
> * day 90: release candidate with fix available
> * day 120: official release including fix
> * day 134: CVE published with details and acknowledgements
>
> could make sense. 90 days / 3 months is hopefully a fair strict upper
> bound for how long it should take to get a fix into a rc; but that's still
> a lot longer than many responsible disclosure timeframes, like CERT's at
> 45 days, but also shorter than some bitcoin core minor update cycles...
> Obviously, those timelines could be varied down if something is more
> urgent (or just easy).
>
> As it is, not publishing vulnerability info just seems like it gives
> everyone a false sense of security, and encourages ignoring good security
> practices, either not upgrading bitcoind nodes, or not ensuring altcoin
> implementations keep up to date...
>
> I suppose both "trusted bitcoin core group" and "small group of trusted
> users" isn't 100% cypherpunk, but it sure seems better than not both not
> disclosing vulnerability details, and not disclosing vulnerabilities
> at all... (And maybe it could be made more cypherpunk by, say, having
> the disclosures to trusted groups have the description/patches get
> automatically fuzzed to perhaps allow identification of leakers?)
>
> Cheers,
> aj
>
> > On 09/10/17 18:03, Simon Liu via bitcoin-dev wrote:
> > > Hi,
> > >
> > > Given today's presentation by Chris Jeffrey at the Breaking Bitcoin
> > > conference, and the subsequent discussion around responsible disclosure
> > > and industry practice, perhaps now would be a good time to discuss
> > > "Bitcoin and CVEs" which has gone unanswered for 6 months.
> > >
> > > https://lists.linuxfoundation.org/pipermail/bitcoin-dev/
> 2017-March/013751.html
> > >
> > > To quote:
> > >
> > > "Are there are any vulnerabilities in Bitcoin which have been fixed but
> > > not yet publicly disclosed? Is the following list of Bitcoin CVEs
> > > up-to-date?
> > >
> > > https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures
> > >
> > > There have been no new CVEs posted for almost three years, except for
> > > CVE-2015-3641, but there appears to be no information publicly
> available
> > > for that issue:
> > >
> > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3641
> > >
> > > It would be of great benefit to end users if the community of clients
> > > and altcoins derived from Bitcoin Core could be patched for any known
> > > vulnerabilities.
> > >
> > > Does anyone keep track of security related bugs and patches, where the
> > > defect severity is similar to those found on the CVE list above? If
> > > yes, can that list be shared with other developers?"
> > >
> > > Best Regards,
> > > Simon
> > > _______________________________________________
> > > bitcoin-dev mailing list
> > > bitcoin-dev@lists•linuxfoundation.org
> > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> > >
> > _______________________________________________
> > bitcoin-dev mailing list
> > bitcoin-dev@lists•linuxfoundation.org
> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists•linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
[-- Attachment #2: Type: text/html, Size: 7252 bytes --]
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [bitcoin-dev] Responsible disclosure of bugs
2017-09-11 11:34 ` Alex Morcos
@ 2017-09-11 17:43 ` Daniel Stadulis
2017-09-11 18:29 ` Gregory Maxwell
2017-09-12 4:47 ` Anthony Towns
2017-09-12 3:37 ` Anthony Towns
1 sibling, 2 replies; 17+ messages in thread
From: Daniel Stadulis @ 2017-09-11 17:43 UTC (permalink / raw)
To: Alex Morcos, Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 6082 bytes --]
I think it's relevant to treat different bug severity levels with different
response plans.
E.g.
Compromising UTXO custody (In CVE-2010-5141, OP_RETURN vulnerability)
Compromising UTXO state (In CVE-2013-3220, blockchain split due to Berkeley
DB -> LevelDB upgrade, CVE-2010-5139 Overflow bug, unscheduled inflation of
coins)
Compromising Node performance (Various node-specific DoS attacks)
Should have different disclosure policies, IMO
On Mon, Sep 11, 2017 at 4:34 AM, Alex Morcos via bitcoin-dev <
bitcoin-dev@lists•linuxfoundation.org> wrote:
> I don't think I know the right answer here, but I will point out two
> things that make this a little more complicated.
>
> 1 - There are lots of altcoin developers and while I'm sure the majority
> would greatly appreciate the disclosure and would behave responsibly with
> the information, I don't know where you draw the line on who you tell and
> who you don't.
>
> 2- Unlike other software, I'm not sure good security for bitcoin is
> defined by constant upgrading. Obviously upgrading has an important
> benefit, but one of the security considerations for Bitcoin is knowing that
> your definition of the money hasn't changed. Much harder to know that if
> you change software.
>
>
>
> On Sun, Sep 10, 2017 at 10:15 PM, Anthony Towns via bitcoin-dev <
> bitcoin-dev@lists•linuxfoundation.org> wrote:
>
>> On Sun, Sep 10, 2017 at 07:02:36PM -0400, Matt Corallo via bitcoin-dev
>> wrote:
>> > I believe there continues to be concern over a number of altcoins which
>> > are running old, unpatched forks of Bitcoin Core, making it rather
>> > difficult to disclose issues without putting people at risk (see, eg,
>> > some of the dos issues which are preventing release of the alert key).
>> > I'd encourage the list to have a discussion about what reasonable
>> > approaches could be taken there.
>>
>> That seems like it just says bitcoin core has two classes of users:
>> people who use it directly following mainnet or testnet, and people who
>> make derived works based on it to run altcoins.
>>
>> Having a "responsible disclosure" timeline something like:
>>
>> * day -N: vulnerability reported privately
>> * day -N+1: details shared amongst private trusted bitcoin core group
>> * day 0: patch/workaround/mitigation determined, CVE reserved
>> * day 1: basic information shared with small group of trusted users
>> (eg, altcoin maintainers, exchanges, maybe wallet devs)
>> * day ~7: patches can be included in git repo
>> (without references to vulnerability)
>> * day 90: release candidate with fix available
>> * day 120: official release including fix
>> * day 134: CVE published with details and acknowledgements
>>
>> could make sense. 90 days / 3 months is hopefully a fair strict upper
>> bound for how long it should take to get a fix into a rc; but that's still
>> a lot longer than many responsible disclosure timeframes, like CERT's at
>> 45 days, but also shorter than some bitcoin core minor update cycles...
>> Obviously, those timelines could be varied down if something is more
>> urgent (or just easy).
>>
>> As it is, not publishing vulnerability info just seems like it gives
>> everyone a false sense of security, and encourages ignoring good security
>> practices, either not upgrading bitcoind nodes, or not ensuring altcoin
>> implementations keep up to date...
>>
>> I suppose both "trusted bitcoin core group" and "small group of trusted
>> users" isn't 100% cypherpunk, but it sure seems better than not both not
>> disclosing vulnerability details, and not disclosing vulnerabilities
>> at all... (And maybe it could be made more cypherpunk by, say, having
>> the disclosures to trusted groups have the description/patches get
>> automatically fuzzed to perhaps allow identification of leakers?)
>>
>> Cheers,
>> aj
>>
>> > On 09/10/17 18:03, Simon Liu via bitcoin-dev wrote:
>> > > Hi,
>> > >
>> > > Given today's presentation by Chris Jeffrey at the Breaking Bitcoin
>> > > conference, and the subsequent discussion around responsible
>> disclosure
>> > > and industry practice, perhaps now would be a good time to discuss
>> > > "Bitcoin and CVEs" which has gone unanswered for 6 months.
>> > >
>> > > https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017
>> -March/013751.html
>> > >
>> > > To quote:
>> > >
>> > > "Are there are any vulnerabilities in Bitcoin which have been fixed
>> but
>> > > not yet publicly disclosed? Is the following list of Bitcoin CVEs
>> > > up-to-date?
>> > >
>> > > https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures
>> > >
>> > > There have been no new CVEs posted for almost three years, except for
>> > > CVE-2015-3641, but there appears to be no information publicly
>> available
>> > > for that issue:
>> > >
>> > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3641
>> > >
>> > > It would be of great benefit to end users if the community of clients
>> > > and altcoins derived from Bitcoin Core could be patched for any known
>> > > vulnerabilities.
>> > >
>> > > Does anyone keep track of security related bugs and patches, where the
>> > > defect severity is similar to those found on the CVE list above? If
>> > > yes, can that list be shared with other developers?"
>> > >
>> > > Best Regards,
>> > > Simon
>> > > _______________________________________________
>> > > bitcoin-dev mailing list
>> > > bitcoin-dev@lists•linuxfoundation.org
>> > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>> > >
>> > _______________________________________________
>> > bitcoin-dev mailing list
>> > bitcoin-dev@lists•linuxfoundation.org
>> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists•linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
>
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists•linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
>
[-- Attachment #2: Type: text/html, Size: 8728 bytes --]
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [bitcoin-dev] Responsible disclosure of bugs
2017-09-11 17:43 ` Daniel Stadulis
@ 2017-09-11 18:29 ` Gregory Maxwell
2017-09-12 4:47 ` Anthony Towns
1 sibling, 0 replies; 17+ messages in thread
From: Gregory Maxwell @ 2017-09-11 18:29 UTC (permalink / raw)
To: Daniel Stadulis, Bitcoin Protocol Discussion
On Mon, Sep 11, 2017 at 5:43 PM, Daniel Stadulis via bitcoin-dev
<bitcoin-dev@lists•linuxfoundation.org> wrote:
> I think it's relevant to treat different bug severity levels with different
> response plans.
>
> E.g.
> Compromising UTXO custody (In CVE-2010-5141, OP_RETURN vulnerability)
> Compromising UTXO state (In CVE-2013-3220, blockchain split due to Berkeley
> DB -> LevelDB upgrade, CVE-2010-5139 Overflow bug, unscheduled inflation of
> coins)
> Compromising Node performance (Various node-specific DoS attacks)
>
> Should have different disclosure policies, IMO
This assumes the states are discernible. They often aren't cleanly.
You obviously know how bad it is in the best case, but the worst could
be much worse.
I've multiple time seen a hard to exploit issue turn out to be trivial
when you find the right trick, or a minor dos issue turn our to far
more serious.
Simple performance bugs, expertly deployed, can potentially be used to
carve up the network--- miner A and exchange B go in one partition,
everyone else in another.. and doublespend.
And so on. So while I absolutely do agree that different things
should and can be handled differently, it is not always so clear cut.
It's prudent to treat things as more severe than you know them to be.
In fact, someone pointed out to me a major amplifier of the
utxo-memory attack thing today that Bitcoin Core narrowly dodges which
would have made it very easy to exploit against some users, and which
it seems no one previously considered.
I also think it's somewhat incorrect to call this thread anything
about disclosure, this thread is not about disclosure. Disclosure is
when you tell the vendor. This thread is about publication and that
has very different implications. Publication is when you're sure
you've told the prospective attackers.
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [bitcoin-dev] Responsible disclosure of bugs
2017-09-11 11:34 ` Alex Morcos
2017-09-11 17:43 ` Daniel Stadulis
@ 2017-09-12 3:37 ` Anthony Towns
2017-09-12 4:49 ` Sergio Demian Lerner
` (2 more replies)
1 sibling, 3 replies; 17+ messages in thread
From: Anthony Towns @ 2017-09-12 3:37 UTC (permalink / raw)
To: Bitcoin Protocol Discussion
On Mon, Sep 11, 2017 at 07:34:33AM -0400, Alex Morcos wrote:
> I don't think I know the right answer here, but I will point out two things
> that make this a little more complicated.
> 1 - There are lots of altcoin developers and while I'm sure the majority would
> greatly appreciate the disclosure and would behave responsibly with the
> information, I don't know where you draw the line on who you tell and who you
> don't.
If you can't pick even a small group that's trustworthy (top five by
market cap as a start [0]? or just major bitcoin wallets / exchanges /
alt node implementations?), then it still seems better to (eventually)
disclose publically than keep it unrevealed and let it be a potential
advantage for attackers against people who haven't upgraded for other
reasons?
I find it hard to imagine bitcoin's still obscure enough that people
aren't tracking git commit logs to use them as inspiration for attacks
on bitcoin users and businesses; at best I would have thought it'd
only be a few months of development time between a fix being proposed
as a PR or committed to master and black hats having the ability to
exploit it in users who are running older nodes. (Or for that matter,
being able to be exploited by otherwise legitimate bitcoin businesses
with an agenda to push, a strong financial motive behind that agenda,
and a legal team that says they'll get away with it)
> 2- Unlike other software, I'm not sure good security for bitcoin is defined by
> constant upgrading. Obviously upgrading has an important benefit, but one of
> the security considerations for Bitcoin is knowing that your definition of the
> money hasn't changed. Much harder to know that if you change software.
Isn't that just an argument for putting more effort into backporting
fixes/workarounds? (I don't see how you do that without essentially
publically disclosing which patches have a security impact -- "oh,
gosh, this patch gets a backport, I wonder if maybe it has security
implications...")
(In so far as bitcoin is a consensus system, there can sometimes be a
positive network effect, where having other people upgrade can help your
security, even if you don't upgrade; "herd immunity" if you will. That
way a new release going out to other people helps keep you safe, even
while you continue to maintain the same definition of money by not
upgrading at all)
If altcoin maintainers are inconvenienced by tracking bitcoin-core
updates, that would be an argument for them to contribute back to their
upstream to make their own job easier; either helping with backports,
or perhaps contributing to patches like PR#8994 might help.
All of those things seem like they'd help not just altcoins but bitcoin
investors/traders too, so it's not even a trade-off between classes of
bitcoin core users. And if in the end various altcoins aren't able to
keep up with security fixes, that's probably valuable information to
provide to the market...
Cheers,
aj
[0] Roughly: BCash, Litecoin, Dash, BitConnect, ZCash, Dogecoin?
I've no idea which of those might have trustworthy devs to work with,
but surely at least a couple do?
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [bitcoin-dev] Responsible disclosure of bugs
2017-09-11 17:43 ` Daniel Stadulis
2017-09-11 18:29 ` Gregory Maxwell
@ 2017-09-12 4:47 ` Anthony Towns
1 sibling, 0 replies; 17+ messages in thread
From: Anthony Towns @ 2017-09-12 4:47 UTC (permalink / raw)
To: Bitcoin Protocol Discussion
On Mon, Sep 11, 2017 at 10:43:52AM -0700, Daniel Stadulis wrote:
> I think it's relevant to treat different bug severity levels with different
> response plans.
That makes sense.
For comparison, Monero defines a response process that has three levels
and varies the response for each:
] a. HIGH: impacts network as a whole, has potential to break entire
] network, results in the loss of monero, or is on a scale of great
] catastrophe
] b. MEDIUM: impacts individual nodes, wallets, or must be carefully
] exploited
] c. LOW: is not easily exploitable
-- https://github.com/monero-project/monero/blob/master/VULNERABILITY_RESPONSE_PROCESS.md
Among other things, HIGH gets treated as an emergency, MEDIUM get fixed
in a point release; LOW get deferred to the next regular release eg.
Additionally, independently of the severity, Monero's doc says they'll
either get their act together with a fix and report within 90 days,
or otherwise the researcher that found the vulnerability has the right
to publically disclose the issue themselves...
I wouldn't say that's a perfect fit for bitcoin core (at a minimum, given
the size of the ecosystem and how much care needs to go into releases,
I think 90 days is probably too short), but it seems better than current
practice...
For comparison, if you're an altcoin developer or just bitcoin core user,
and are trying to work out whether the software you're using is secure;
if you do a quick google and end up at:
https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures
you might conclude that as long as you're running version 0.11 or later,
you're fine. That doesn't seem like an accurate conclusion for people
to draw; but if you're not tracking every commit/PR, how do you do any
better than that?
Maybe transitioning from keeping things private indefinitely to having
a public disclosure policy is tricky. Maybe it might work to build up to it,
something like:
* We'll start releasing info about security vulnerabilities fixed in
0.12.0 and earlier releases as of 2018-01-01
* Then we'll continue with 0.13.0 and earlier as of 2018-03-01
* Likewise for 0.14.0 as of 2018-05-01
* Thereafter we'll adopt a regular policy at http://...
That or something like it at least gives people relying on older,
potentially vulnerable versions a realistic chance to privately prepare
and deploy any upgrades or fixes they've missed out on until now.
Cheers,
aj
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [bitcoin-dev] Responsible disclosure of bugs
2017-09-12 3:37 ` Anthony Towns
@ 2017-09-12 4:49 ` Sergio Demian Lerner
2017-09-12 16:10 ` Simon Liu
2017-09-12 17:57 ` Gregory Maxwell
2017-09-12 5:18 ` Bryan Bishop
2017-09-12 17:41 ` Gregory Maxwell
2 siblings, 2 replies; 17+ messages in thread
From: Sergio Demian Lerner @ 2017-09-12 4:49 UTC (permalink / raw)
To: Anthony Towns, Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 4902 bytes --]
Historically people have published vulnerabilities in Bitcoin only after
>80% of the nodes have upgraded. This seems to be the general (but not
publicly stated) policy. If you're a core developer and you know better,
please correct me.
This means that:
- a critical vulnerability, like a remote code execution, will be patched
immediately (without disclosing the actual problem) and all participants
will be notified asap. This is no different from any other open source
project. An example of this case was the OpenSSL Heartbleed vulnerability
that affected Bitcoin.
- a non-critical vulnerability, either because miners only can exploit it
or because it requires vast resources to pull, may require a wait of years
before publication, after a vulnerability was found and reported. This is
because the "natural" node upgrade rate is slow.
It also implies that some times a researcher works hard to investigate a
vulnerability and later he finds out it was previously reported. It also
means that the researcher cannot report to alt-coins which have a different
policy.
This policy has nothing to do with a loyalty to Bitcoin Core (or in fact,
the two or so developers that actually receive the e-mails to
security@bitcoincore•org).
This is a policy that has simply proven to work to protect Bitcoiners. It
began long long ago.
On Tue, Sep 12, 2017 at 12:37 AM, Anthony Towns via bitcoin-dev <
bitcoin-dev@lists•linuxfoundation.org> wrote:
> On Mon, Sep 11, 2017 at 07:34:33AM -0400, Alex Morcos wrote:
> > I don't think I know the right answer here, but I will point out two
> things
> > that make this a little more complicated.
> > 1 - There are lots of altcoin developers and while I'm sure the majority
> would
> > greatly appreciate the disclosure and would behave responsibly with the
> > information, I don't know where you draw the line on who you tell and
> who you
> > don't.
>
> If you can't pick even a small group that's trustworthy (top five by
> market cap as a start [0]? or just major bitcoin wallets / exchanges /
> alt node implementations?), then it still seems better to (eventually)
> disclose publically than keep it unrevealed and let it be a potential
> advantage for attackers against people who haven't upgraded for other
> reasons?
>
> I find it hard to imagine bitcoin's still obscure enough that people
> aren't tracking git commit logs to use them as inspiration for attacks
> on bitcoin users and businesses; at best I would have thought it'd
> only be a few months of development time between a fix being proposed
> as a PR or committed to master and black hats having the ability to
> exploit it in users who are running older nodes. (Or for that matter,
> being able to be exploited by otherwise legitimate bitcoin businesses
> with an agenda to push, a strong financial motive behind that agenda,
> and a legal team that says they'll get away with it)
>
> > 2- Unlike other software, I'm not sure good security for bitcoin is
> defined by
> > constant upgrading. Obviously upgrading has an important benefit, but
> one of
> > the security considerations for Bitcoin is knowing that your definition
> of the
> > money hasn't changed. Much harder to know that if you change software.
>
> Isn't that just an argument for putting more effort into backporting
> fixes/workarounds? (I don't see how you do that without essentially
> publically disclosing which patches have a security impact -- "oh,
> gosh, this patch gets a backport, I wonder if maybe it has security
> implications...")
>
> (In so far as bitcoin is a consensus system, there can sometimes be a
> positive network effect, where having other people upgrade can help your
> security, even if you don't upgrade; "herd immunity" if you will. That
> way a new release going out to other people helps keep you safe, even
> while you continue to maintain the same definition of money by not
> upgrading at all)
>
> If altcoin maintainers are inconvenienced by tracking bitcoin-core
> updates, that would be an argument for them to contribute back to their
> upstream to make their own job easier; either helping with backports,
> or perhaps contributing to patches like PR#8994 might help.
>
> All of those things seem like they'd help not just altcoins but bitcoin
> investors/traders too, so it's not even a trade-off between classes of
> bitcoin core users. And if in the end various altcoins aren't able to
> keep up with security fixes, that's probably valuable information to
> provide to the market...
>
> Cheers,
> aj
>
> [0] Roughly: BCash, Litecoin, Dash, BitConnect, ZCash, Dogecoin?
> I've no idea which of those might have trustworthy devs to work with,
> but surely at least a couple do?
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists•linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
[-- Attachment #2: Type: text/html, Size: 6064 bytes --]
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [bitcoin-dev] Responsible disclosure of bugs
2017-09-12 3:37 ` Anthony Towns
2017-09-12 4:49 ` Sergio Demian Lerner
@ 2017-09-12 5:18 ` Bryan Bishop
2017-09-12 17:41 ` Gregory Maxwell
2 siblings, 0 replies; 17+ messages in thread
From: Bryan Bishop @ 2017-09-12 5:18 UTC (permalink / raw)
To: Anthony Towns, Bitcoin Protocol Discussion, Bryan Bishop
On Mon, Sep 11, 2017 at 10:37 PM, Anthony Towns via bitcoin-dev
<bitcoin-dev@lists•linuxfoundation.org> wrote:
> All of those things seem like they'd help not just altcoins but bitcoin
> investors/traders too, so it's not even a trade-off between classes of
> bitcoin core users. And if in the end various altcoins aren't able to
> keep up with security fixes, that's probably valuable information to
> provide to the market...
I have a reply to your point, but I want to clarify first that I am
not trying to provide any sort of criticism of your character, and to
any extent that my text is misinterpreted that way, that's entirely my
fault here. Anyway, here goes.
It's not enough to defend bitcoin and its users from active threats,
there is a more general responsibility to defend all kinds of users
and different software from many kinds of threats in whatever forms,
even if folks are using stupid and insecure software that you
personally don't maintain or contribute to or advocate for. Handling
knowledge of a vulnerability is a delicate matter and you might be
receiving knowledge with more serious direct or indirect impact than
originally described.
Besides the moral and ethical reasons to not unduly accelerate the
exploitation of a vulnerability, there is also a reputational
standpoint to consider, in that your position that your own (security)
work is credible is actually harmed by showing negative care for other
works by being first to publish either insecure software or knowledge
of a vulnerability. And sometimes the opposite is true: by not
disclosing knowledge of how a design is broken to someone inviting its
review, you're showing negative care in that way too, such as by
unintentionally encouraging the implementation of really bad ideas or
entirely novel misunderstandings of what you once thought were clear
concepts. So there is a difficult path to walk and especially in
security not all may be as it seems; caution is highly recommended.
Yes it would be good for "the market" to "get the signal" that
altcoins are insecure, and that some altcoin vendors are literally and
actively malicious entities, but I think everyone needs to take a step
back here and very carefully consider the color of their hats,
including those who advocate in the name of insecure downstream/forked
software.
The downside of the approach I've advocated for is that it requires
knowledge, thinking and outsmarting the red teams; I am certainly
aware of the allure of the approaches that involve absolutist
statements like "anything weak [including bitcoin if it does have
weaknesses] deserves to die and be actively exploited" but it's not
something I am interested in espousing...nor do I think it would be
healthy for this community to internalize that perspective. Instead we
should continue to work on highly defensible software, and keep
vigilant in regards to security. In "the [civilized] garden" I would
expect there to be a general understanding that people collaborate and
work together to build highly defensible evolving systems even if
there exists knowledge of vulnerabilities. But we shouldn't be
surprised when we don't go out of our way to contribute to
alternative/parasitic systems... and we shouldn't be encouraging each
other to actively bring about the eschaton by way of mishandling
knowledge of vulnerabilities...
I know these issues are difficult to get a handle on. Hopefully I've
provided some useful perspective.
- Bryan
http://heybryan.org/
1 512 203 0507
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [bitcoin-dev] Responsible disclosure of bugs
2017-09-12 4:49 ` Sergio Demian Lerner
@ 2017-09-12 16:10 ` Simon Liu
2017-09-14 5:27 ` Anthony Towns
2017-09-12 17:57 ` Gregory Maxwell
1 sibling, 1 reply; 17+ messages in thread
From: Simon Liu @ 2017-09-12 16:10 UTC (permalink / raw)
To: Sergio Demian Lerner, Bitcoin Protocol Discussion, Anthony Towns
It would be a good starting point if the current policy could be
clarified, so everyone is on the same page, and there is no confusion.
On 09/11/2017 09:49 PM, Sergio Demian Lerner via bitcoin-dev wrote:
> Historically people have published vulnerabilities in Bitcoin only after
>>80% of the nodes have upgraded. This seems to be the general (but not
> publicly stated) policy. If you're a core developer and you know better,
> please correct me.
>
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [bitcoin-dev] Responsible disclosure of bugs
2017-09-12 3:37 ` Anthony Towns
2017-09-12 4:49 ` Sergio Demian Lerner
2017-09-12 5:18 ` Bryan Bishop
@ 2017-09-12 17:41 ` Gregory Maxwell
2 siblings, 0 replies; 17+ messages in thread
From: Gregory Maxwell @ 2017-09-12 17:41 UTC (permalink / raw)
To: Anthony Towns, Bitcoin Protocol Discussion
On Tue, Sep 12, 2017 at 3:37 AM, Anthony Towns via bitcoin-dev
<bitcoin-dev@lists•linuxfoundation.org> wrote:
> If you can't pick even a small group that's trustworthy
No.
> I find it hard to imagine bitcoin's still obscure enough that people
> aren't tracking git commit logs to use them as inspiration for attacks
For embargoed fixes we test the specific fixes against experienced
developers inside the project, handing them the proposed commit and
informing them that it fixes a vulnerability and asking them to
identify it.
This does not guarantee that the fix won't leak the issue, but in
virtually all cases in the past the issues we've dealt with would not
be made worse off being leaked in that way vs just making it public
outright.
If we had an issue that would be-- e.g. an RCE that could lead to
private key theft, we would likely handle it differently (e.g. making
a public notice to take sensitive systems offline before attempting
any fix).
> I would have thought it'd
> only be a few months of development time between a fix being proposed
> as a PR or committed to master and black hats having the ability to
> exploit it in users who are running older nodes. (Or for that matter,
> being able to be exploited by otherwise legitimate bitcoin businesses
> with an agenda to push, a strong financial motive behind that agenda,
> and a legal team that says they'll get away with it)
History does not support your assumptions.
>> 2- Unlike other software, I'm not sure good security for bitcoin is defined by
>> constant upgrading. Obviously upgrading has an important benefit, but one of
>> the security considerations for Bitcoin is knowing that your definition of the
>> money hasn't changed. Much harder to know that if you change software.
>
> Isn't that just an argument for putting more effort into backporting
> fixes/workarounds?
Not really. Any forced change still creates centralization,
dependence, and an opportunity for insecurity.
> (I don't see how you do that without essentially
> publically disclosing which patches have a security impact -- "oh,
> gosh, this patch gets a backport, I wonder if maybe it has security
> implications...")
That is a concern too, but our bar for backport fixes is low enough
that they're often able to include more serious fixes without calling
attention to them.
> (In so far as bitcoin is a consensus system, there can sometimes be a
> positive network effect, where having other people upgrade can help your
> security, even if you don't upgrade; "herd immunity" if you will.
This is true even outside of the consensus critical parts. In the P2P
network other people upgrading can be protective.
> If altcoin maintainers are inconvenienced by tracking bitcoin-core
> updates, that would be an argument for them to contribute back to their
Sure, a few have. Most do not because they are either not focused on
software quality or consider themselves as having an adversarial
relationship with Bitcoin.
> keep up with security fixes, that's probably valuable information to
> provide to the market...
If you'd like to provide the sort of valuable information to the
market which may get you sued or targeted for harassment of physical
attack-- feel free. Don't ask the rest of us to do so.
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [bitcoin-dev] Responsible disclosure of bugs
2017-09-12 4:49 ` Sergio Demian Lerner
2017-09-12 16:10 ` Simon Liu
@ 2017-09-12 17:57 ` Gregory Maxwell
1 sibling, 0 replies; 17+ messages in thread
From: Gregory Maxwell @ 2017-09-12 17:57 UTC (permalink / raw)
To: Sergio Demian Lerner, Bitcoin Protocol Discussion
On Tue, Sep 12, 2017 at 4:49 AM, Sergio Demian Lerner via bitcoin-dev
<bitcoin-dev@lists•linuxfoundation.org> wrote:
> It also implies that some times a researcher works hard to investigate a
> vulnerability and later he finds out it was previously reported. It also
> means that the researcher cannot report to alt-coins which have a different
> policy.
I agree with your post, but wanted to make a point of clarification on
the use of "can't".
If someone wants to report something to the Bitcoin project we're
obviously at your mercy in how we handle it. If we disagree on the
handling approach we may try to talk you into a different position
based with a rational judgement based on our experience (or, if
justified, advice that we're likely to whine about your approach in
public). But if you still want to go also report a common issue to
something else with a different approach then you can. Even our
ire/whining can be avoided by a sincere effort to communicate and give
us an opportunity to mitigate harm.
That said, as mentioned, we'd encourage otherwise for issues that
warrant it-- and I think with cause enough that the reporter will
agree. So that is a different kind of "cant". :)
In Bitcoin the overwhelming majority of serious issues we've
encountered have been found by people I'd consider 'inside the
project' (frequent regular contributors who aren't seriously involved
in other things). That hasn't been so obviously the case for other
open source projects that I've been involved with; but Bitcoin is
pretty good from a basic security perspective and finding additional
issues often requires specialized experience that few people outside
of the project regulars have (though some, like Sergio, clearly do).
I know through direct experience that both Mozilla and the Chrome
project fix _serious_ (like RCE bugs) issues based on internal
discoveries which they do not make public (apparently ever), though
they may coordinate with distributors on some of them. (Some of
these experiences are also why I give the advice that you should not
consider any computer which has ever run a web browser to be strongly
secure...)
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [bitcoin-dev] Responsible disclosure of bugs
2017-09-12 16:10 ` Simon Liu
@ 2017-09-14 5:27 ` Anthony Towns
2017-09-22 2:00 ` Nathan Wilcox
0 siblings, 1 reply; 17+ messages in thread
From: Anthony Towns @ 2017-09-14 5:27 UTC (permalink / raw)
To: Bitcoin Protocol Discussion
On Tue, Sep 12, 2017 at 09:10:18AM -0700, Simon Liu wrote:
> It would be a good starting point if the current policy could be
> clarified, so everyone is on the same page, and there is no confusion.
Collecting various commentary from here and reddit, I think current de
facto policy is something like:
* Vulnerabilities should be reported via security@bitcoincore•org [0]
* A critical issue (that can be exploited immediately or is already
being exploited causing large harm) will be dealt with by:
* a released patch ASAP
* wide notification of the need to upgrade (or to disable affected
systems)
* minimal disclosure of the actual problem, to delay attacks
[1] [2]
* A non-critical vulnerability (because it is difficult or expensive to
exploit) will be dealt with by:
* patch and review undertaken in the ordinary flow of development
* backport of a fix or workaround from master to the current
released version [2]
* Devs will attempt to ensure that publication of the fix does not
reveal the nature of the vulnerability by providing the proposed fix
to experienced devs who have not been informed of the vulnerability,
telling them that it fixes a vulnerability, and asking them to identify
the vulnerability. [2]
* Devs may recommend other bitcoin implementations adopt vulnerability
fixes prior to the fix being released and widely deployed, if they
can do so without revealing the vulnerability; eg, if the fix has
significant performance benefits that would justify its inclusion. [3]
* Prior to a vulnerability becoming public, devs will generally recommend
to friendly altcoin devs that they should catch up with fixes. But this
is only after the fixes are widely deployed in the bitcoin network. [4]
* Devs will generally not notify altcoin developers who have behaved
in a hostile manner (eg, using vulnerabilities to attack others, or
who violate embargoes). [5]
* Bitcoin devs won't disclose vulnerability details until >80% of bitcoin
nodes have deployed the fixes. Vulnerability discovers are encouraged
and requested to follow the same policy. [1] [6]
Those seem like pretty good policies to me, for what it's worth.
I haven't seen anything that indicates bitcoin devs will *ever* encourage
public disclosure of vulnerabilities (as opposed to tolerating other
people publishing them [6]). So I'm guessing current de facto policy is
more along the lines of:
* Where possible, Bitcoin devs will never disclose vulnerabilities
publically while affected code may still be in use (including by
altcoins).
rather than something like:
* Bitcoin devs will disclose vulnerabilities publically after 99% of the
bitcoin network has upgraded [7], and fixes have been released for
at least 12 months.
Instinctively, I'd say documenting this policy (or whatever it actually
is) would be good, and having all vulnerabilities get publically released
eventually would also be good; that's certainly the more "open source"
approach. But arguing the other side:
- documenting security policy gives attackers a better handle on where
to find weak points; this may be more harm than there is benefit to
improving legitimate users' understanding of and confidence in the
development process
- the main benefit of public vulnerability disclosure is a better
working relationship with security researchers and perhaps better
understanding of what sort of bugs happen in practice in general;
but if most of your security research is effectively in house [6],
maybe those benefits aren't as great as the harm done by revealing
even old vulnerabilities to attackers
If the first of those arguments holds, well, hopefully this message has
egregious errors that no one will correct, or it will quickly get lost
in this list's archives...
Cheers,
aj
[0] http://bitcoincore.org/en/contact
referenced from .github/ISSUE_TEMPLATE.md in git
[1] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-September/014986.html
[2] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-September/014990.html
[3] https://www.reddit.com/r/btc/comments/6zf1qo/peter_todd_nicely_pulled_away_attention_from_jjs/dmxcw70/
[4] https://www.reddit.com/r/btc/comments/6z827o/chris_jeffrey_jj_discloses_bitcoin_attack_vector/dmxdg83/
[5] https://www.reddit.com/r/btc/comments/6zb3lp/maxwell_admits_core_sat_on_vulnerability/dmv4y7g/
[6] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-September/014991.html
[7] Per http://luke.dashjr.org/programs/bitcoin/files/charts/branches.html
it seems like 1.7% of the network is running known-vulnerable versions
0.8 and 0.9; but only 0.37% are running 0.10 or 0.11, so that might argue
revealing any vulnerabilities fixed since 0.12.0 would be fine...
(bitnodes.21.co doesn't seem to break down anything earlier than 0.12)
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [bitcoin-dev] Responsible disclosure of bugs
2017-09-14 5:27 ` Anthony Towns
@ 2017-09-22 2:00 ` Nathan Wilcox
2017-09-22 19:53 ` Sergio Demian Lerner
0 siblings, 1 reply; 17+ messages in thread
From: Nathan Wilcox @ 2017-09-22 2:00 UTC (permalink / raw)
To: Anthony Towns, Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 8288 bytes --]
[inline responses]
On Thu, Sep 14, 2017 at 2:27 PM, Anthony Towns via bitcoin-dev <
bitcoin-dev@lists•linuxfoundation.org> wrote:
> On Tue, Sep 12, 2017 at 09:10:18AM -0700, Simon Liu wrote:
> > It would be a good starting point if the current policy could be
> > clarified, so everyone is on the same page, and there is no confusion.
>
> Collecting various commentary from here and reddit, I think current de
> facto policy is something like:
>
> * Vulnerabilities should be reported via security@bitcoincore•org [0]
>
> * A critical issue (that can be exploited immediately or is already
> being exploited causing large harm) will be dealt with by:
> * a released patch ASAP
> * wide notification of the need to upgrade (or to disable affected
> systems)
> * minimal disclosure of the actual problem, to delay attacks
> [1] [2]
>
> * A non-critical vulnerability (because it is difficult or expensive to
> exploit) will be dealt with by:
> * patch and review undertaken in the ordinary flow of development
> * backport of a fix or workaround from master to the current
> released version [2]
>
> * Devs will attempt to ensure that publication of the fix does not
> reveal the nature of the vulnerability by providing the proposed fix
> to experienced devs who have not been informed of the vulnerability,
> telling them that it fixes a vulnerability, and asking them to identify
> the vulnerability. [2]
>
> * Devs may recommend other bitcoin implementations adopt vulnerability
> fixes prior to the fix being released and widely deployed, if they
> can do so without revealing the vulnerability; eg, if the fix has
> significant performance benefits that would justify its inclusion. [3]
>
> * Prior to a vulnerability becoming public, devs will generally recommend
> to friendly altcoin devs that they should catch up with fixes. But this
> is only after the fixes are widely deployed in the bitcoin network. [4]
>
> * Devs will generally not notify altcoin developers who have behaved
> in a hostile manner (eg, using vulnerabilities to attack others, or
> who violate embargoes). [5]
>
> * Bitcoin devs won't disclose vulnerability details until >80% of bitcoin
> nodes have deployed the fixes. Vulnerability discovers are encouraged
> and requested to follow the same policy. [1] [6]
>
> Those seem like pretty good policies to me, for what it's worth.
>
>
I advocate a policy like this, except I propose two modifications:
- Point 4 should include *zero or more* altcoin developers, such that those
altcoins also deploy mitigations as early as Bitcoin. (Call this "early
altcoin disclosure".)
- Disclose of vulnerabilities, by social convention, always explicitly
names which altcoin developers were included in my proposed Early Altcoin
Disclosure and Point 6.
The rationale is that the policy should allow closer coordination with
altcoins. If the goal is minimizing economic damage, including altcoins
earlier may be the better trade-off between inclusiveness and secrecy. At
the same time, the policy doesn't establish *which* altcoins, which is a
tricky choice. However it *does* require disclosure of those relationships,
which provides a form of feedback on the system.
Imagine if altcoin X is compromised, and later disclosure occurs that
reveals that altcoin X was not contacted early, then this *might* indicate
leaks, maliciousness in the Bitcoin mitigation organization, or it *might*
be coincidence or dumb luck. In the other case, if the Bitcoin disclosure
reveals that X was indeed contacted early, then it probably indicates
incompetence of the altoin X.
Finally, notice that this kind of loose early disclosure policy can be
symmetric. For example, Zcash developers may choose to disclose
vulnerabilities they discover which affect Bitcoin to Bitcoin developers
*before* Zcash releases fixes, or before those fixes are widely adopted in
Zcash. We actually have a policy of doing this, since it's obvious that if
our mitigation process leaks and that's used to attack Bitcoin the
potential economic damage is very large.
> I haven't seen anything that indicates bitcoin devs will *ever* encourage
> public disclosure of vulnerabilities (as opposed to tolerating other
> people publishing them [6]). So I'm guessing current de facto policy is
> more along the lines of:
>
> * Where possible, Bitcoin devs will never disclose vulnerabilities
> publically while affected code may still be in use (including by
> altcoins).
>
> rather than something like:
>
> * Bitcoin devs will disclose vulnerabilities publically after 99% of the
> bitcoin network has upgraded [7], and fixes have been released for
> at least 12 months.
>
>
I advocate for something like the latter case. I'd like to see a timeout on
disclosure. There's an endless tail of alt-coins that could be affected,
and no guarantee all will vigilantly upgrade. Meanwhile, deciding which of
them to disclose to confidentially versus which should just receive hints
to apply new patches is tricky and political.
Having a global timeout is a reasonable stop-gap. I consider the cost of
never disclosing, publicly, a known vulnerbility to be very high, even if
the fix is ubiquitously deployed, because it's a loss of security
knowledge, a precious public good.
>
> Instinctively, I'd say documenting this policy (or whatever it actually
> is) would be good, and having all vulnerabilities get publically released
> eventually would also be good; that's certainly the more "open source"
> approach. But arguing the other side:
>
> - documenting security policy gives attackers a better handle on where
> to find weak points; this may be more harm than there is benefit to
> improving legitimate users' understanding of and confidence in the
> development process
>
>
Publishing a policy *might* increase organizational vulnerability, but so
might *not publishing* a policy. It seems fairly neutral to me on
vulnerability impact, whereas the benefit is good for users and developers.
> - the main benefit of public vulnerability disclosure is a better
> working relationship with security researchers and perhaps better
> understanding of what sort of bugs happen in practice in general;
> but if most of your security research is effectively in house [6],
> maybe those benefits aren't as great as the harm done by revealing
> even old vulnerabilities to attackers
>
>
Publishing after a reasonable timeout has many benefits. Many security
researchers learn from vulnerability disclosures across many disciplines
and industries. Future protocol designers of things potentially unrelated
to blockchain altogether may also learn important lessons.
If the first of those arguments holds, well, hopefully this message has
> egregious errors that no one will correct, or it will quickly get lost
> in this list's archives...
>
> Cheers,
> aj
>
>
regards,
Nathan Wilcox
Zcash
> [0] http://bitcoincore.org/en/contact
> referenced from .github/ISSUE_TEMPLATE.md in git
>
> [1] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/
> 2017-September/014986.html
>
> [2] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/
> 2017-September/014990.html
>
> [3] https://www.reddit.com/r/btc/comments/6zf1qo/peter_todd_
> nicely_pulled_away_attention_from_jjs/dmxcw70/
>
> [4] https://www.reddit.com/r/btc/comments/6z827o/chris_jeffrey_
> jj_discloses_bitcoin_attack_vector/dmxdg83/
>
> [5] https://www.reddit.com/r/btc/comments/6zb3lp/maxwell_
> admits_core_sat_on_vulnerability/dmv4y7g/
>
> [6] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/
> 2017-September/014991.html
>
> [7] Per http://luke.dashjr.org/programs/bitcoin/files/charts/branches.html
> it seems like 1.7% of the network is running known-vulnerable versions
> 0.8 and 0.9; but only 0.37% are running 0.10 or 0.11, so that might
> argue
> revealing any vulnerabilities fixed since 0.12.0 would be fine...
> (bitnodes.21.co doesn't seem to break down anything earlier than 0.12)
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists•linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
[-- Attachment #2: Type: text/html, Size: 11733 bytes --]
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [bitcoin-dev] Responsible disclosure of bugs
2017-09-22 2:00 ` Nathan Wilcox
@ 2017-09-22 19:53 ` Sergio Demian Lerner
0 siblings, 0 replies; 17+ messages in thread
From: Sergio Demian Lerner @ 2017-09-22 19:53 UTC (permalink / raw)
To: Nathan Wilcox, Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 10013 bytes --]
The policy seems good with the exception of this paragraph:
* Bitcoin devs will disclose vulnerabilities publically after 99% of the
bitcoin network has upgraded [7], and fixes have been released for
at least 12 months.
99% upgrade may never be reached. Some nodes cannot even be categorized. I
suggest a number close to 95%.
If the 95% of network has upgraded, it means we're pretty secure from the
point of view of consensus. It is supposed that from the time the fix has
been released, all other alt-coins will also have released their fixes.
Remember we must also incentivize security researchers to do the hard and
silent research work. Most of them do not hold Bitcoins. They do research
because of other interests, including getting public acknowledgment for
their findings. They'll be frustrated if they have to wait 2 years.
I propose this paragraph to replace the previous one:
* Bitcoin devs will disclose vulnerabilities publically after 95% of the
bitcoin network has upgraded [7], and fixes have been released for
at least 6 months.
Also I suggest we track vulnerabilities with standard CVE codes. IS there
any drawback of this?
regards
On Thu, Sep 21, 2017 at 11:00 PM, Nathan Wilcox via bitcoin-dev <
bitcoin-dev@lists•linuxfoundation.org> wrote:
> [inline responses]
>
>
> On Thu, Sep 14, 2017 at 2:27 PM, Anthony Towns via bitcoin-dev <
> bitcoin-dev@lists•linuxfoundation.org> wrote:
>
>> On Tue, Sep 12, 2017 at 09:10:18AM -0700, Simon Liu wrote:
>> > It would be a good starting point if the current policy could be
>> > clarified, so everyone is on the same page, and there is no confusion.
>>
>> Collecting various commentary from here and reddit, I think current de
>> facto policy is something like:
>>
>> * Vulnerabilities should be reported via security@bitcoincore•org [0]
>>
>> * A critical issue (that can be exploited immediately or is already
>> being exploited causing large harm) will be dealt with by:
>> * a released patch ASAP
>> * wide notification of the need to upgrade (or to disable affected
>> systems)
>> * minimal disclosure of the actual problem, to delay attacks
>> [1] [2]
>>
>> * A non-critical vulnerability (because it is difficult or expensive to
>> exploit) will be dealt with by:
>> * patch and review undertaken in the ordinary flow of development
>> * backport of a fix or workaround from master to the current
>> released version [2]
>>
>> * Devs will attempt to ensure that publication of the fix does not
>> reveal the nature of the vulnerability by providing the proposed fix
>> to experienced devs who have not been informed of the vulnerability,
>> telling them that it fixes a vulnerability, and asking them to identify
>> the vulnerability. [2]
>>
>> * Devs may recommend other bitcoin implementations adopt vulnerability
>> fixes prior to the fix being released and widely deployed, if they
>> can do so without revealing the vulnerability; eg, if the fix has
>> significant performance benefits that would justify its inclusion. [3]
>>
>> * Prior to a vulnerability becoming public, devs will generally recommend
>> to friendly altcoin devs that they should catch up with fixes. But this
>> is only after the fixes are widely deployed in the bitcoin network. [4]
>>
>> * Devs will generally not notify altcoin developers who have behaved
>> in a hostile manner (eg, using vulnerabilities to attack others, or
>> who violate embargoes). [5]
>>
>> * Bitcoin devs won't disclose vulnerability details until >80% of bitcoin
>> nodes have deployed the fixes. Vulnerability discovers are encouraged
>> and requested to follow the same policy. [1] [6]
>>
>> Those seem like pretty good policies to me, for what it's worth.
>>
>>
> I advocate a policy like this, except I propose two modifications:
>
> - Point 4 should include *zero or more* altcoin developers, such that
> those altcoins also deploy mitigations as early as Bitcoin. (Call this
> "early altcoin disclosure".)
>
> - Disclose of vulnerabilities, by social convention, always explicitly
> names which altcoin developers were included in my proposed Early Altcoin
> Disclosure and Point 6.
>
> The rationale is that the policy should allow closer coordination with
> altcoins. If the goal is minimizing economic damage, including altcoins
> earlier may be the better trade-off between inclusiveness and secrecy. At
> the same time, the policy doesn't establish *which* altcoins, which is a
> tricky choice. However it *does* require disclosure of those relationships,
> which provides a form of feedback on the system.
>
> Imagine if altcoin X is compromised, and later disclosure occurs that
> reveals that altcoin X was not contacted early, then this *might* indicate
> leaks, maliciousness in the Bitcoin mitigation organization, or it *might*
> be coincidence or dumb luck. In the other case, if the Bitcoin disclosure
> reveals that X was indeed contacted early, then it probably indicates
> incompetence of the altoin X.
>
> Finally, notice that this kind of loose early disclosure policy can be
> symmetric. For example, Zcash developers may choose to disclose
> vulnerabilities they discover which affect Bitcoin to Bitcoin developers
> *before* Zcash releases fixes, or before those fixes are widely adopted in
> Zcash. We actually have a policy of doing this, since it's obvious that if
> our mitigation process leaks and that's used to attack Bitcoin the
> potential economic damage is very large.
>
>
>
>> I haven't seen anything that indicates bitcoin devs will *ever* encourage
>> public disclosure of vulnerabilities (as opposed to tolerating other
>> people publishing them [6]). So I'm guessing current de facto policy is
>> more along the lines of:
>>
>> * Where possible, Bitcoin devs will never disclose vulnerabilities
>> publically while affected code may still be in use (including by
>> altcoins).
>>
>> rather than something like:
>>
>> * Bitcoin devs will disclose vulnerabilities publically after 99% of the
>> bitcoin network has upgraded [7], and fixes have been released for
>> at least 12 months.
>>
>>
> I advocate for something like the latter case. I'd like to see a timeout
> on disclosure. There's an endless tail of alt-coins that could be affected,
> and no guarantee all will vigilantly upgrade. Meanwhile, deciding which of
> them to disclose to confidentially versus which should just receive hints
> to apply new patches is tricky and political.
>
> Having a global timeout is a reasonable stop-gap. I consider the cost of
> never disclosing, publicly, a known vulnerbility to be very high, even if
> the fix is ubiquitously deployed, because it's a loss of security
> knowledge, a precious public good.
>
>
>>
>> Instinctively, I'd say documenting this policy (or whatever it actually
>> is) would be good, and having all vulnerabilities get publically released
>> eventually would also be good; that's certainly the more "open source"
>> approach. But arguing the other side:
>>
>> - documenting security policy gives attackers a better handle on where
>> to find weak points; this may be more harm than there is benefit to
>> improving legitimate users' understanding of and confidence in the
>> development process
>>
>>
> Publishing a policy *might* increase organizational vulnerability, but so
> might *not publishing* a policy. It seems fairly neutral to me on
> vulnerability impact, whereas the benefit is good for users and developers.
>
>
>
>> - the main benefit of public vulnerability disclosure is a better
>> working relationship with security researchers and perhaps better
>> understanding of what sort of bugs happen in practice in general;
>> but if most of your security research is effectively in house [6],
>> maybe those benefits aren't as great as the harm done by revealing
>> even old vulnerabilities to attackers
>>
>>
> Publishing after a reasonable timeout has many benefits. Many security
> researchers learn from vulnerability disclosures across many disciplines
> and industries. Future protocol designers of things potentially unrelated
> to blockchain altogether may also learn important lessons.
>
>
> If the first of those arguments holds, well, hopefully this message has
>> egregious errors that no one will correct, or it will quickly get lost
>> in this list's archives...
>>
>> Cheers,
>> aj
>>
>>
> regards,
> Nathan Wilcox
> Zcash
>
>
>> [0] http://bitcoincore.org/en/contact
>> referenced from .github/ISSUE_TEMPLATE.md in git
>>
>> [1] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017
>> -September/014986.html
>>
>> [2] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017
>> -September/014990.html
>>
>> [3] https://www.reddit.com/r/btc/comments/6zf1qo/peter_todd_nice
>> ly_pulled_away_attention_from_jjs/dmxcw70/
>>
>> [4] https://www.reddit.com/r/btc/comments/6z827o/chris_jeffrey_j
>> j_discloses_bitcoin_attack_vector/dmxdg83/
>>
>> [5] https://www.reddit.com/r/btc/comments/6zb3lp/maxwell_admits_
>> core_sat_on_vulnerability/dmv4y7g/
>>
>> [6] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017
>> -September/014991.html
>>
>> [7] Per http://luke.dashjr.org/programs/bitcoin/files/charts/branche
>> s.html
>> it seems like 1.7% of the network is running known-vulnerable versions
>> 0.8 and 0.9; but only 0.37% are running 0.10 or 0.11, so that might
>> argue
>> revealing any vulnerabilities fixed since 0.12.0 would be fine...
>> (bitnodes.21.co doesn't seem to break down anything earlier than
>> 0.12)
>>
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists•linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
>
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists•linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
>
[-- Attachment #2: Type: text/html, Size: 14993 bytes --]
^ permalink raw reply [flat|nested] 17+ messages in thread
end of thread, other threads:[~2017-09-22 19:54 UTC | newest]
Thread overview: 17+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-09-10 22:03 [bitcoin-dev] Responsible disclosure of bugs Simon Liu
2017-09-10 23:02 ` Matt Corallo
2017-09-10 23:28 ` CryptAxe
2017-09-11 2:15 ` Anthony Towns
2017-09-11 11:34 ` Alex Morcos
2017-09-11 17:43 ` Daniel Stadulis
2017-09-11 18:29 ` Gregory Maxwell
2017-09-12 4:47 ` Anthony Towns
2017-09-12 3:37 ` Anthony Towns
2017-09-12 4:49 ` Sergio Demian Lerner
2017-09-12 16:10 ` Simon Liu
2017-09-14 5:27 ` Anthony Towns
2017-09-22 2:00 ` Nathan Wilcox
2017-09-22 19:53 ` Sergio Demian Lerner
2017-09-12 17:57 ` Gregory Maxwell
2017-09-12 5:18 ` Bryan Bishop
2017-09-12 17:41 ` Gregory Maxwell
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox