Bitcoin Core Security Disclosure Policy
638 views
Skip to first unread message
Antoine Poinsot
Jul 3, 2024, 9:10:10 AMJul 3
to Bitcoin Development Mailing List
Hi everyone,
We are writing to announce the policy Bitcoin Core will be using for disclosing security vulnerabilities.
The project has historically done a poor job at publicly disclosing security-critical bugs, whether externally reported or found by contributors. This has led to a situation where a lot of users perceive Bitcoin Core as never having bugs. This perception is dangerous and, unfortunately, not accurate.
Besides a better communication of the risk of running outdated versions, a consistent tracking and standardized disclosure process would set clear expectations for security researchers, providing them with an incentive to try finding vulnerabilities *and* to responsibly disclose them. Making the security bugs available to the wider group of contributors can help prevent future ones.
Over the past months, we've worked on setting this up. Here is the disclosure policy we came up with.
When reported, a vulnerability will be assigned a severity category. We differentiate between 4 classes of vulnerabilities:
- **Low**: bugs which are hard to exploit or have a low impact. For instance a wallet bug which requires access to the victim's machine.
- **Medium**: bugs with limited impact. For instance a local network remote crash.
- **High**: bugs with significant impact. For instance a remote crash, or a local network RCE.
- **Critical**: bugs which threaten the whole network's integrity. For instance an inflation or coin theft bug.
**Low** severity bugs will be disclosed 2 weeks after a fixed version is released. A pre-announcement will be made at the same time as the release.
**Medium** and **high** severity bugs will be disclosed 2 weeks after the last affected release goes EOL. This is a year after a fixed version was first released. A pre-announcement will be made 2 weeks prior to disclosure.
**Critical** bugs are not considered in the standard policy, as they would most likely require an ad-hoc procedure.
Also, a bug may not be considered a vulnerability at all. A reported issue may be considered serious yet not require an embargo.
This policy will be gradually adopted in the coming months. Today we will disclose all vulnerabilities fixed in Bitcoin Core versions 0.21.0 and earlier. Later in july we will disclose all vulnerabilities fixed in Bitcoin Core version 22.0. In august, all vulnerabilities fixed in Bitcoin Core version 23.0. And so on until we run out of EOL versions to disclose vulnerabilities for.
Please let us know if this policy may have a significant negative impact for you.
Anthony, Antoine, Ava, Michael, Niklas and Pieter.
We are writing to announce the policy Bitcoin Core will be using for disclosing security vulnerabilities.
The project has historically done a poor job at publicly disclosing security-critical bugs, whether externally reported or found by contributors. This has led to a situation where a lot of users perceive Bitcoin Core as never having bugs. This perception is dangerous and, unfortunately, not accurate.
Besides a better communication of the risk of running outdated versions, a consistent tracking and standardized disclosure process would set clear expectations for security researchers, providing them with an incentive to try finding vulnerabilities *and* to responsibly disclose them. Making the security bugs available to the wider group of contributors can help prevent future ones.
Over the past months, we've worked on setting this up. Here is the disclosure policy we came up with.
When reported, a vulnerability will be assigned a severity category. We differentiate between 4 classes of vulnerabilities:
- **Low**: bugs which are hard to exploit or have a low impact. For instance a wallet bug which requires access to the victim's machine.
- **Medium**: bugs with limited impact. For instance a local network remote crash.
- **High**: bugs with significant impact. For instance a remote crash, or a local network RCE.
- **Critical**: bugs which threaten the whole network's integrity. For instance an inflation or coin theft bug.
**Low** severity bugs will be disclosed 2 weeks after a fixed version is released. A pre-announcement will be made at the same time as the release.
**Medium** and **high** severity bugs will be disclosed 2 weeks after the last affected release goes EOL. This is a year after a fixed version was first released. A pre-announcement will be made 2 weeks prior to disclosure.
**Critical** bugs are not considered in the standard policy, as they would most likely require an ad-hoc procedure.
Also, a bug may not be considered a vulnerability at all. A reported issue may be considered serious yet not require an embargo.
This policy will be gradually adopted in the coming months. Today we will disclose all vulnerabilities fixed in Bitcoin Core versions 0.21.0 and earlier. Later in july we will disclose all vulnerabilities fixed in Bitcoin Core version 22.0. In august, all vulnerabilities fixed in Bitcoin Core version 23.0. And so on until we run out of EOL versions to disclose vulnerabilities for.
Please let us know if this policy may have a significant negative impact for you.
Anthony, Antoine, Ava, Michael, Niklas and Pieter.
Eric Voskuil
Jul 3, 2024, 9:13:15 PMJul 3
to Bitcoin Development Mailing List
> The project has historically done a poor job at publicly disclosing security-critical bugs, whether externally reported or found by contributors. This has led to a situation where a lot of users perceive Bitcoin Core as never having bugs. This perception is dangerous and, unfortunately, not accurate.
I have to say this is one of the most compelling statements I've seen from the bitcoind/Bitcoin Core team in over 10 years. Many other projects have been on the receiving end of this misperception, and it has in fact caused material harm to the community. I don't know what precipitated this change, but props to you all for stepping up.Best,
Eric
Antoine Riard
Jul 8, 2024, 9:16:15 PM (10 days ago) Jul 8
to Bitcoin Development Mailing List
Hello Antoine,
For information the lifecycle of each bitcoin core release has been updated with EOL dates for each version:
That way it's great if you plan to throw bitcoin core or some of its components on secure hardware env, where lifecycles can be harder to manage.
True thanks the six of you for all the work done on putting in place a better disclosure policy.
Best,
Antoine (the other one)
Antoine Riard
Jul 8, 2024, 9:16:17 PM (10 days ago) Jul 8
to Bitcoin Development Mailing List
Hi Eric,
> Many other projects have been on the receiving end of this misperception, and it has in fact caused material harm to the community
Without getting in unnecessarily re-opening old wounds, if you have examples of what has caused material harm to the community, it can be interesting to share.
From experience with second-layers, as soon as you start to have many codebases affected by a vuln, it's another kind of dynamics so good to draw lessons.
About the timing, among many factors, the bitcoin whitepaper assignment legal issue is hopefully less a concern now so some competent people have more time to handle that job of publicly disclosing security bugs. In addition, the bitcoin open-source landscape has more resources (for the best and worst) than 10 years ago. From sharing beers with Amir not so lately, it wasn't that +10 years ago. I know he was kicked-off from the original sec list, though I'm not sure the reasons are well-known.
Best,
Antoine
Reply all
Reply to author
Forward
0 new messages