Bitcoin Core Security Disclosure Policy
247 views
Skip to first unread message
Antoine Poinsot
9:10 AM (8 hours ago) 9:10 AM
to Bitcoin Development Mailing List
Hi everyone,
We are writing to announce the policy Bitcoin Core will be using for disclosing security vulnerabilities.
The project has historically done a poor job at publicly disclosing security-critical bugs, whether externally reported or found by contributors. This has led to a situation where a lot of users perceive Bitcoin Core as never having bugs. This perception is dangerous and, unfortunately, not accurate.
Besides a better communication of the risk of running outdated versions, a consistent tracking and standardized disclosure process would set clear expectations for security researchers, providing them with an incentive to try finding vulnerabilities *and* to responsibly disclose them. Making the security bugs available to the wider group of contributors can help prevent future ones.
Over the past months, we've worked on setting this up. Here is the disclosure policy we came up with.
When reported, a vulnerability will be assigned a severity category. We differentiate between 4 classes of vulnerabilities:
- **Low**: bugs which are hard to exploit or have a low impact. For instance a wallet bug which requires access to the victim's machine.
- **Medium**: bugs with limited impact. For instance a local network remote crash.
- **High**: bugs with significant impact. For instance a remote crash, or a local network RCE.
- **Critical**: bugs which threaten the whole network's integrity. For instance an inflation or coin theft bug.
**Low** severity bugs will be disclosed 2 weeks after a fixed version is released. A pre-announcement will be made at the same time as the release.
**Medium** and **high** severity bugs will be disclosed 2 weeks after the last affected release goes EOL. This is a year after a fixed version was first released. A pre-announcement will be made 2 weeks prior to disclosure.
**Critical** bugs are not considered in the standard policy, as they would most likely require an ad-hoc procedure.
Also, a bug may not be considered a vulnerability at all. A reported issue may be considered serious yet not require an embargo.
This policy will be gradually adopted in the coming months. Today we will disclose all vulnerabilities fixed in Bitcoin Core versions 0.21.0 and earlier. Later in july we will disclose all vulnerabilities fixed in Bitcoin Core version 22.0. In august, all vulnerabilities fixed in Bitcoin Core version 23.0. And so on until we run out of EOL versions to disclose vulnerabilities for.
Please let us know if this policy may have a significant negative impact for you.
Anthony, Antoine, Ava, Michael, Niklas and Pieter.
We are writing to announce the policy Bitcoin Core will be using for disclosing security vulnerabilities.
The project has historically done a poor job at publicly disclosing security-critical bugs, whether externally reported or found by contributors. This has led to a situation where a lot of users perceive Bitcoin Core as never having bugs. This perception is dangerous and, unfortunately, not accurate.
Besides a better communication of the risk of running outdated versions, a consistent tracking and standardized disclosure process would set clear expectations for security researchers, providing them with an incentive to try finding vulnerabilities *and* to responsibly disclose them. Making the security bugs available to the wider group of contributors can help prevent future ones.
Over the past months, we've worked on setting this up. Here is the disclosure policy we came up with.
When reported, a vulnerability will be assigned a severity category. We differentiate between 4 classes of vulnerabilities:
- **Low**: bugs which are hard to exploit or have a low impact. For instance a wallet bug which requires access to the victim's machine.
- **Medium**: bugs with limited impact. For instance a local network remote crash.
- **High**: bugs with significant impact. For instance a remote crash, or a local network RCE.
- **Critical**: bugs which threaten the whole network's integrity. For instance an inflation or coin theft bug.
**Low** severity bugs will be disclosed 2 weeks after a fixed version is released. A pre-announcement will be made at the same time as the release.
**Medium** and **high** severity bugs will be disclosed 2 weeks after the last affected release goes EOL. This is a year after a fixed version was first released. A pre-announcement will be made 2 weeks prior to disclosure.
**Critical** bugs are not considered in the standard policy, as they would most likely require an ad-hoc procedure.
Also, a bug may not be considered a vulnerability at all. A reported issue may be considered serious yet not require an embargo.
This policy will be gradually adopted in the coming months. Today we will disclose all vulnerabilities fixed in Bitcoin Core versions 0.21.0 and earlier. Later in july we will disclose all vulnerabilities fixed in Bitcoin Core version 22.0. In august, all vulnerabilities fixed in Bitcoin Core version 23.0. And so on until we run out of EOL versions to disclose vulnerabilities for.
Please let us know if this policy may have a significant negative impact for you.
Anthony, Antoine, Ava, Michael, Niklas and Pieter.
Reply all
Reply to author
Forward
0 new messages