[bitcoindev] Bitcoin Core Security Disclosure Policy - 'Antoine Poinsot' via Bitcoin Development Mailing List

public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed

From: "'Antoine Poinsot' via Bitcoin Development Mailing List" <bitcoindev@googlegroups.com>
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Subject: [bitcoindev] Bitcoin Core Security Disclosure Policy
Date: Wed, 03 Jul 2024 12:57:48 +0000	[thread overview]
Message-ID: <rALfxJ5b5hyubGwdVW3F4jtugxnXRvc-tjD_qwW7z73rd5j7lXGNdEHWikmSdmNG3vkSOIwEryZzOZr_DgmVDDmt9qsX0gpRAcpY9CfwSk4=@protonmail.com> (raw)

Hi everyone,

We are writing to announce the policy Bitcoin Core will be using for  disclosing security vulnerabilities.

The project has historically done a poor job at publicly disclosing security-critical bugs, whether externally reported or found by contributors. This has led to a situation where a lot of users perceive Bitcoin Core as never having bugs. This perception is dangerous and, unfortunately, not accurate.

Besides a better communication of the risk of running outdated versions, a consistent tracking and standardized disclosure process would set clear expectations for security researchers, providing them with an incentive to try finding vulnerabilities *and* to responsibly disclose them. Making the security bugs available to the wider group of contributors can help prevent future ones.

Over the past months, we've worked on setting this up. Here is the disclosure policy we came up with.

When reported, a vulnerability will be assigned a severity category. We differentiate between 4 classes of vulnerabilities:
- **Low**: bugs which are hard to exploit or have a low impact. For instance a wallet bug which requires access to the victim's machine.
- **Medium**: bugs with limited impact. For instance a local network remote crash.
- **High**: bugs with significant impact. For instance a remote crash, or a local network RCE. 
- **Critical**: bugs which threaten the whole network's integrity. For instance an inflation or coin theft bug.

**Low** severity bugs will be disclosed 2 weeks after a fixed version is released. A pre-announcement will be made at the same time as the release.

**Medium** and **high** severity bugs will be disclosed 2 weeks after the last affected release goes EOL. This is a year after a fixed version was first released. A pre-announcement will be made 2 weeks prior to disclosure.

**Critical** bugs are not considered in the standard policy, as they would most likely require an ad-hoc procedure.

Also, a bug may not be considered a vulnerability at all. A reported issue may be considered serious yet not require an embargo.

This policy will be gradually adopted in the coming months. Today we will disclose all vulnerabilities fixed in Bitcoin Core versions 0.21.0 and earlier. Later in july we will disclose all vulnerabilities fixed in Bitcoin Core version 22.0. In august, all vulnerabilities fixed in Bitcoin Core version 23.0. And so on until we run out of EOL versions to disclose vulnerabilities for.

Please let us know if this policy may have a significant negative impact for you.

Anthony, Antoine, Ava, Michael, Niklas and Pieter.

-- 
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/rALfxJ5b5hyubGwdVW3F4jtugxnXRvc-tjD_qwW7z73rd5j7lXGNdEHWikmSdmNG3vkSOIwEryZzOZr_DgmVDDmt9qsX0gpRAcpY9CfwSk4%3D%40protonmail.com.

                 reply	other threads:[~2024-07-03 13:10 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='rALfxJ5b5hyubGwdVW3F4jtugxnXRvc-tjD_qwW7z73rd5j7lXGNdEHWikmSdmNG3vkSOIwEryZzOZr_DgmVDDmt9qsX0gpRAcpY9CfwSk4=@protonmail.com' \
    --to=bitcoindev@googlegroups.com \
    --cc=darosior@protonmail$(echo .)com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox