* [bitcoindev] Bitcoin Core Security Disclosure Policy
@ 2024-07-03 12:57 'Antoine Poinsot' via Bitcoin Development Mailing List
2024-07-03 17:20 ` [bitcoindev] " Antoine Riard
2024-07-04 0:44 ` Eric Voskuil
0 siblings, 2 replies; 4+ messages in thread
From: 'Antoine Poinsot' via Bitcoin Development Mailing List @ 2024-07-03 12:57 UTC (permalink / raw)
To: Bitcoin Development Mailing List
Hi everyone,
We are writing to announce the policy Bitcoin Core will be using for disclosing security vulnerabilities.
The project has historically done a poor job at publicly disclosing security-critical bugs, whether externally reported or found by contributors. This has led to a situation where a lot of users perceive Bitcoin Core as never having bugs. This perception is dangerous and, unfortunately, not accurate.
Besides a better communication of the risk of running outdated versions, a consistent tracking and standardized disclosure process would set clear expectations for security researchers, providing them with an incentive to try finding vulnerabilities *and* to responsibly disclose them. Making the security bugs available to the wider group of contributors can help prevent future ones.
Over the past months, we've worked on setting this up. Here is the disclosure policy we came up with.
When reported, a vulnerability will be assigned a severity category. We differentiate between 4 classes of vulnerabilities:
- **Low**: bugs which are hard to exploit or have a low impact. For instance a wallet bug which requires access to the victim's machine.
- **Medium**: bugs with limited impact. For instance a local network remote crash.
- **High**: bugs with significant impact. For instance a remote crash, or a local network RCE.
- **Critical**: bugs which threaten the whole network's integrity. For instance an inflation or coin theft bug.
**Low** severity bugs will be disclosed 2 weeks after a fixed version is released. A pre-announcement will be made at the same time as the release.
**Medium** and **high** severity bugs will be disclosed 2 weeks after the last affected release goes EOL. This is a year after a fixed version was first released. A pre-announcement will be made 2 weeks prior to disclosure.
**Critical** bugs are not considered in the standard policy, as they would most likely require an ad-hoc procedure.
Also, a bug may not be considered a vulnerability at all. A reported issue may be considered serious yet not require an embargo.
This policy will be gradually adopted in the coming months. Today we will disclose all vulnerabilities fixed in Bitcoin Core versions 0.21.0 and earlier. Later in july we will disclose all vulnerabilities fixed in Bitcoin Core version 22.0. In august, all vulnerabilities fixed in Bitcoin Core version 23.0. And so on until we run out of EOL versions to disclose vulnerabilities for.
Please let us know if this policy may have a significant negative impact for you.
Anthony, Antoine, Ava, Michael, Niklas and Pieter.
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/rALfxJ5b5hyubGwdVW3F4jtugxnXRvc-tjD_qwW7z73rd5j7lXGNdEHWikmSdmNG3vkSOIwEryZzOZr_DgmVDDmt9qsX0gpRAcpY9CfwSk4%3D%40protonmail.com.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [bitcoindev] Re: Bitcoin Core Security Disclosure Policy
2024-07-03 12:57 [bitcoindev] Bitcoin Core Security Disclosure Policy 'Antoine Poinsot' via Bitcoin Development Mailing List
@ 2024-07-03 17:20 ` Antoine Riard
2024-07-04 0:44 ` Eric Voskuil
1 sibling, 0 replies; 4+ messages in thread
From: Antoine Riard @ 2024-07-03 17:20 UTC (permalink / raw)
To: Bitcoin Development Mailing List
[-- Attachment #1.1: Type: text/plain, Size: 3719 bytes --]
Hello Antoine,
For information the lifecycle of each bitcoin core release has been updated
with EOL dates for each version:
https://bitcoincore.org/en/lifecycle/
That way it's great if you plan to throw bitcoin core or some of its
components on secure hardware env, where lifecycles can be harder to manage.
True thanks the six of you for all the work done on putting in place a
better disclosure policy.
Best,
Antoine (the other one)
Le mercredi 3 juillet 2024 à 14:10:10 UTC+1, Antoine Poinsot a écrit :
> Hi everyone,
>
> We are writing to announce the policy Bitcoin Core will be using for
> disclosing security vulnerabilities.
>
> The project has historically done a poor job at publicly disclosing
> security-critical bugs, whether externally reported or found by
> contributors. This has led to a situation where a lot of users perceive
> Bitcoin Core as never having bugs. This perception is dangerous and,
> unfortunately, not accurate.
>
> Besides a better communication of the risk of running outdated versions, a
> consistent tracking and standardized disclosure process would set clear
> expectations for security researchers, providing them with an incentive to
> try finding vulnerabilities *and* to responsibly disclose them. Making the
> security bugs available to the wider group of contributors can help prevent
> future ones.
>
> Over the past months, we've worked on setting this up. Here is the
> disclosure policy we came up with.
>
> When reported, a vulnerability will be assigned a severity category. We
> differentiate between 4 classes of vulnerabilities:
> - **Low**: bugs which are hard to exploit or have a low impact. For
> instance a wallet bug which requires access to the victim's machine.
> - **Medium**: bugs with limited impact. For instance a local network
> remote crash.
> - **High**: bugs with significant impact. For instance a remote crash, or
> a local network RCE.
> - **Critical**: bugs which threaten the whole network's integrity. For
> instance an inflation or coin theft bug.
>
> **Low** severity bugs will be disclosed 2 weeks after a fixed version is
> released. A pre-announcement will be made at the same time as the release.
>
> **Medium** and **high** severity bugs will be disclosed 2 weeks after the
> last affected release goes EOL. This is a year after a fixed version was
> first released. A pre-announcement will be made 2 weeks prior to disclosure.
>
> **Critical** bugs are not considered in the standard policy, as they would
> most likely require an ad-hoc procedure.
>
> Also, a bug may not be considered a vulnerability at all. A reported issue
> may be considered serious yet not require an embargo.
>
> This policy will be gradually adopted in the coming months. Today we will
> disclose all vulnerabilities fixed in Bitcoin Core versions 0.21.0 and
> earlier. Later in july we will disclose all vulnerabilities fixed in
> Bitcoin Core version 22.0. In august, all vulnerabilities fixed in Bitcoin
> Core version 23.0. And so on until we run out of EOL versions to disclose
> vulnerabilities for.
>
> Please let us know if this policy may have a significant negative impact
> for you.
>
> Anthony, Antoine, Ava, Michael, Niklas and Pieter.
>
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/2414b7a9-3f38-4641-a2c5-58aa37691fe5n%40googlegroups.com.
[-- Attachment #1.2: Type: text/html, Size: 4272 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* [bitcoindev] Re: Bitcoin Core Security Disclosure Policy
2024-07-03 12:57 [bitcoindev] Bitcoin Core Security Disclosure Policy 'Antoine Poinsot' via Bitcoin Development Mailing List
2024-07-03 17:20 ` [bitcoindev] " Antoine Riard
@ 2024-07-04 0:44 ` Eric Voskuil
2024-07-04 14:34 ` Antoine Riard
1 sibling, 1 reply; 4+ messages in thread
From: Eric Voskuil @ 2024-07-04 0:44 UTC (permalink / raw)
To: Bitcoin Development Mailing List
[-- Attachment #1.1: Type: text/plain, Size: 1052 bytes --]
> The project has historically done a poor job at publicly disclosing
security-critical bugs, whether externally reported or found by
contributors. This has led to a situation where a lot of users perceive
Bitcoin Core as never having bugs. This perception is dangerous and,
unfortunately, not accurate.
I have to say this is one of the most compelling statements I've seen from
the bitcoind/Bitcoin Core team in over 10 years. Many other projects have
been on the receiving end of this misperception, and it has in fact caused
material harm to the community. I don't know what precipitated this change,
but props to you all for stepping up.
Best,
Eric
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/a9f31b7f-08c9-4ee0-97a0-1c8708ad5c63n%40googlegroups.com.
[-- Attachment #1.2: Type: text/html, Size: 1340 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* [bitcoindev] Re: Bitcoin Core Security Disclosure Policy
2024-07-04 0:44 ` Eric Voskuil
@ 2024-07-04 14:34 ` Antoine Riard
0 siblings, 0 replies; 4+ messages in thread
From: Antoine Riard @ 2024-07-04 14:34 UTC (permalink / raw)
To: Bitcoin Development Mailing List
[-- Attachment #1.1: Type: text/plain, Size: 2267 bytes --]
Hi Eric,
> Many other projects have been on the receiving end of this misperception,
and it has in fact caused material harm to the community
Without getting in unnecessarily re-opening old wounds, if you have
examples of what has caused material harm to the community, it can be
interesting to share.
From experience with second-layers, as soon as you start to have many
codebases affected by a vuln, it's another kind of dynamics so good to draw
lessons.
> I don't know what precipitated this change, but props to you all for
stepping up.
About the timing, among many factors, the bitcoin whitepaper assignment
legal issue is hopefully less a concern now so some competent people have
more time to handle that job of publicly disclosing security bugs. In
addition, the bitcoin open-source landscape has more resources (for the
best and worst) than 10 years ago. From sharing beers with Amir not so
lately, it wasn't that +10 years ago. I know he was kicked-off from the
original sec list, though I'm not sure the reasons are well-known.
Best,
Antoine
Le jeudi 4 juillet 2024 à 02:13:15 UTC+1, Eric Voskuil a écrit :
> > The project has historically done a poor job at publicly disclosing
> security-critical bugs, whether externally reported or found by
> contributors. This has led to a situation where a lot of users perceive
> Bitcoin Core as never having bugs. This perception is dangerous and,
> unfortunately, not accurate.
>
> I have to say this is one of the most compelling statements I've seen from
> the bitcoind/Bitcoin Core team in over 10 years. Many other projects have
> been on the receiving end of this misperception, and it has in fact caused
> material harm to the community. I don't know what precipitated this change,
> but props to you all for stepping up.
>
> Best,
> Eric
>
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/46a677b3-3838-4a2d-b8d3-8c0e05e4139dn%40googlegroups.com.
[-- Attachment #1.2: Type: text/html, Size: 2850 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-07-09 1:16 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-07-03 12:57 [bitcoindev] Bitcoin Core Security Disclosure Policy 'Antoine Poinsot' via Bitcoin Development Mailing List
2024-07-03 17:20 ` [bitcoindev] " Antoine Riard
2024-07-04 0:44 ` Eric Voskuil
2024-07-04 14:34 ` Antoine Riard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox