Delivery-date: Wed, 03 Jul 2024 06:10:17 -0700
Received-SPF: pass (google.com: domain of darosior@protonmail.com designates 185.70.43.25 as permitted sender) client-ip=185.70.43.25;
Date: Wed, 03 Jul 2024 12:57:48 +0000
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
From: "'Antoine Poinsot' via Bitcoin Development Mailing List" <bitcoindev@googlegroups.com>
Subject: [bitcoindev] Bitcoin Core Security Disclosure Policy
Message-ID: <rALfxJ5b5hyubGwdVW3F4jtugxnXRvc-tjD_qwW7z73rd5j7lXGNdEHWikmSdmNG3vkSOIwEryZzOZr_DgmVDDmt9qsX0gpRAcpY9CfwSk4=@protonmail.com>
Feedback-ID: 7060259:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Reply-To: Antoine Poinsot <darosior@protonmail.com>
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com

Hi everyone,

We are writing to announce the policy Bitcoin Core will be using for  discl=
osing security vulnerabilities.

The project has historically done a poor job at publicly disclosing securit=
y-critical bugs, whether externally reported or found by contributors. This=
 has led to a situation where a lot of users perceive Bitcoin Core as never=
 having bugs. This perception is dangerous and, unfortunately, not accurate=
.

Besides a better communication of the risk of running outdated versions, a =
consistent tracking and standardized disclosure process would set clear exp=
ectations for security researchers, providing them with an incentive to try=
 finding vulnerabilities *and* to responsibly disclose them. Making the sec=
urity bugs available to the wider group of contributors can help prevent fu=
ture ones.

Over the past months, we've worked on setting this up. Here is the disclosu=
re policy we came up with.

When reported, a vulnerability will be assigned a severity category. We dif=
ferentiate between 4 classes of vulnerabilities:
- **Low**: bugs which are hard to exploit or have a low impact. For instanc=
e a wallet bug which requires access to the victim's machine.
- **Medium**: bugs with limited impact. For instance a local network remote=
 crash.
- **High**: bugs with significant impact. For instance a remote crash, or a=
 local network RCE.=20
- **Critical**: bugs which threaten the whole network's integrity. For inst=
ance an inflation or coin theft bug.

**Low** severity bugs will be disclosed 2 weeks after a fixed version is re=
leased. A pre-announcement will be made at the same time as the release.

**Medium** and **high** severity bugs will be disclosed 2 weeks after the l=
ast affected release goes EOL. This is a year after a fixed version was fir=
st released. A pre-announcement will be made 2 weeks prior to disclosure.

**Critical** bugs are not considered in the standard policy, as they would =
most likely require an ad-hoc procedure.

Also, a bug may not be considered a vulnerability at all. A reported issue =
may be considered serious yet not require an embargo.

This policy will be gradually adopted in the coming months. Today we will d=
isclose all vulnerabilities fixed in Bitcoin Core versions 0.21.0 and earli=
er. Later in july we will disclose all vulnerabilities fixed in Bitcoin Cor=
e version 22.0. In august, all vulnerabilities fixed in Bitcoin Core versio=
n 23.0. And so on until we run out of EOL versions to disclose vulnerabilit=
ies for.

Please let us know if this policy may have a significant negative impact fo=
r you.

Anthony, Antoine, Ava, Michael, Niklas and Pieter.

--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/=
bitcoindev/rALfxJ5b5hyubGwdVW3F4jtugxnXRvc-tjD_qwW7z73rd5j7lXGNdEHWikmSdmNG=
3vkSOIwEryZzOZr_DgmVDDmt9qsX0gpRAcpY9CfwSk4%3D%40protonmail.com.