Delivery-date: Mon, 08 Jul 2024 18:16:22 -0700 Received: from mail-yb1-f188.google.com ([209.85.219.188]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1sQzSv-0005J7-H7 for bitcoindev@gnusha.org; Mon, 08 Jul 2024 18:16:22 -0700 Received: by mail-yb1-f188.google.com with SMTP id 3f1490d57ef6-e032d4cf26asf8903857276.3 for ; Mon, 08 Jul 2024 18:16:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1720487775; x=1721092575; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:sender:from :to:cc:subject:date:message-id:reply-to; bh=FG05YwUTez7FWpUSFLdRz4gfaYY3Brhy7tzYV3xfylc=; b=Hw2y5+/HufL6V+Hub3mAe6Cp0t1wtliullFNaE/W2x1gR960Oma6wyM05zlBoHYfXZ GUhewDKyJC62CwWJ9nJWQMvxPd7uNgiyBhc78J1scOoLhNwdB3rW9siDJbdTXwxYS8+R 34DtHCE8dg0nc4MhiXrSEiiu3ccE+YIyhWfBG0zbRzs9WfPN9AbUyldKAECLxurf5Fv6 YkSyDgtiTCgijTs39M58v8afWu9SIiLeo5IyRbs2cR/mYEQxxjjbBsbR1w3iKOO2Qvvj xnJ1Qqc50dku7Pc6nZ07Cy0oRM+1nGrt9XNUDHHDtyFaBP/84NWY7W6FGBTjdTrJ9tYS N4Zw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1720487775; x=1721092575; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:from:to:cc :subject:date:message-id:reply-to; bh=FG05YwUTez7FWpUSFLdRz4gfaYY3Brhy7tzYV3xfylc=; b=jE+DC2Menl4f5YFpWjO2tuOiAQmy7IvOuKB5iQoOVO69GCMXSPgXCwc8959ctlxILd NlcuSOqh0sX76j7a/L1a2Yolet0URPUskB0lO9hK/fGfZELe3hmR3xq5HKTKx6IHb+iD nbRgf4mDMeWwrlgaOd891MP3EJYvnQGd4xbEhA1vh46NizPNTIg2sR6A25sWzx0RWKJk kxGZMIGuLtCCMd11EG9RDKCgi/0pMoYxnte27hNHiqpzdXjvTf4fFO+8PGMRzj0fnKxQ sBYZliZmLS7AZYNKK85sN5PEYSeCz9YYsM3QsMbBGdtaMtfYxu7zUJHyooklGXGRAiYK nvWw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720487775; x=1721092575; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:x-beenthere :x-gm-message-state:sender:from:to:cc:subject:date:message-id :reply-to; bh=FG05YwUTez7FWpUSFLdRz4gfaYY3Brhy7tzYV3xfylc=; b=ojTOnGoGj0aZCGB6xOgMJdH46BWuEtRgWsDXB/iadftUuddQlZ2gD585ihCL3EUn6P me6WGNhrC3kUYM/VwpYOHUloOWSUlzOniEb3DGuPSNjEXXe37oEnZmFQFgAfPO12aw57 rAqUAaedYmeSVF9RqeOmvzEI94PKNZkSxXnSHRgKRlXgLQCrs7p+l+pmN5eqnj6DW5+Y amJqdGXatFjSmumEWO0L76wY93oNu3q3WMXmhjB+iG+xqCpVDFJTpzS/RPOK4K+k4M2H Lxe/d/HXyFCEhXBBN4SNAJa7yIDIZCLbhaqaSUt9+DukD/8msrs0I+LfVHL+3/MpGfFo WhJg== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=1; AJvYcCVmqMhPdtNi2rY29aoezvGEA5CV894XzBYB5hdgkw816Byg9GXwGht8YkaloTctEwIzosIxSwbkYDTCQthB2wbjRW1NiWc= X-Gm-Message-State: AOJu0YxFMXJ2UL4383UcUAcpnoH6bYSVdrfWObyZeUu16Rw8+VM4NSuJ SE3MwhePNmYPUYki4oG4+z8lvpVe5+rcKQwWyu+nekxPpnmh12dV X-Google-Smtp-Source: AGHT+IH5RNBGd0kL34Cj3J4IQT1x/pCh7gQFhJkCwb1NtNpvtohhStUiDtsZ4wiQBvEiG5sjvFVPxQ== X-Received: by 2002:a25:8011:0:b0:e02:bf87:7cce with SMTP id 3f1490d57ef6-e041b177ddamr1426891276.64.1720487775234; Mon, 08 Jul 2024 18:16:15 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com Received: by 2002:a05:6902:120d:b0:dfa:77ba:dc1f with SMTP id 3f1490d57ef6-e03bd0b100bls6623237276.2.-pod-prod-06-us; Mon, 08 Jul 2024 18:16:13 -0700 (PDT) X-Received: by 2002:a05:6902:2409:b0:e03:a0dd:43c1 with SMTP id 3f1490d57ef6-e041af4108cmr70608276.0.1720487773690; Mon, 08 Jul 2024 18:16:13 -0700 (PDT) Received: by 2002:a05:690c:2c0e:b0:627:7f59:2eee with SMTP id 00721157ae682-6514347c5d4ms7b3; Wed, 3 Jul 2024 10:20:08 -0700 (PDT) X-Received: by 2002:a05:6902:2b13:b0:df4:8ff6:47f4 with SMTP id 3f1490d57ef6-e036eaece89mr1214991276.1.1720027206791; Wed, 03 Jul 2024 10:20:06 -0700 (PDT) Date: Wed, 3 Jul 2024 10:20:06 -0700 (PDT) From: Antoine Riard To: Bitcoin Development Mailing List Message-Id: <2414b7a9-3f38-4641-a2c5-58aa37691fe5n@googlegroups.com> In-Reply-To: References: Subject: [bitcoindev] Re: Bitcoin Core Security Disclosure Policy MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_198517_162868746.1720027206566" X-Original-Sender: antoine.riard@gmail.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.5 (/) ------=_Part_198517_162868746.1720027206566 Content-Type: multipart/alternative; boundary="----=_Part_198518_521066554.1720027206566" ------=_Part_198518_521066554.1720027206566 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hello Antoine, For information the lifecycle of each bitcoin core release has been updated= =20 with EOL dates for each version: https://bitcoincore.org/en/lifecycle/ That way it's great if you plan to throw bitcoin core or some of its=20 components on secure hardware env, where lifecycles can be harder to manage= . True thanks the six of you for all the work done on putting in place a=20 better disclosure policy. Best, Antoine (the other one) Le mercredi 3 juillet 2024 =C3=A0 14:10:10 UTC+1, Antoine Poinsot a =C3=A9c= rit : > Hi everyone, > > We are writing to announce the policy Bitcoin Core will be using for=20 > disclosing security vulnerabilities. > > The project has historically done a poor job at publicly disclosing=20 > security-critical bugs, whether externally reported or found by=20 > contributors. This has led to a situation where a lot of users perceive= =20 > Bitcoin Core as never having bugs. This perception is dangerous and,=20 > unfortunately, not accurate. > > Besides a better communication of the risk of running outdated versions, = a=20 > consistent tracking and standardized disclosure process would set clear= =20 > expectations for security researchers, providing them with an incentive t= o=20 > try finding vulnerabilities *and* to responsibly disclose them. Making th= e=20 > security bugs available to the wider group of contributors can help preve= nt=20 > future ones. > > Over the past months, we've worked on setting this up. Here is the=20 > disclosure policy we came up with. > > When reported, a vulnerability will be assigned a severity category. We= =20 > differentiate between 4 classes of vulnerabilities: > - **Low**: bugs which are hard to exploit or have a low impact. For=20 > instance a wallet bug which requires access to the victim's machine. > - **Medium**: bugs with limited impact. For instance a local network=20 > remote crash. > - **High**: bugs with significant impact. For instance a remote crash, or= =20 > a local network RCE.=20 > - **Critical**: bugs which threaten the whole network's integrity. For=20 > instance an inflation or coin theft bug. > > **Low** severity bugs will be disclosed 2 weeks after a fixed version is= =20 > released. A pre-announcement will be made at the same time as the release= . > > **Medium** and **high** severity bugs will be disclosed 2 weeks after the= =20 > last affected release goes EOL. This is a year after a fixed version was= =20 > first released. A pre-announcement will be made 2 weeks prior to disclosu= re. > > **Critical** bugs are not considered in the standard policy, as they woul= d=20 > most likely require an ad-hoc procedure. > > Also, a bug may not be considered a vulnerability at all. A reported issu= e=20 > may be considered serious yet not require an embargo. > > This policy will be gradually adopted in the coming months. Today we will= =20 > disclose all vulnerabilities fixed in Bitcoin Core versions 0.21.0 and=20 > earlier. Later in july we will disclose all vulnerabilities fixed in=20 > Bitcoin Core version 22.0. In august, all vulnerabilities fixed in Bitcoi= n=20 > Core version 23.0. And so on until we run out of EOL versions to disclose= =20 > vulnerabilities for. > > Please let us know if this policy may have a significant negative impact= =20 > for you. > > Anthony, Antoine, Ava, Michael, Niklas and Pieter. > --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/= bitcoindev/2414b7a9-3f38-4641-a2c5-58aa37691fe5n%40googlegroups.com. ------=_Part_198518_521066554.1720027206566 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hello Antoine,

For information the lifecycle of each b= itcoin core release has been updated with EOL dates for each version:
=
https://bitcoincore.org/en/lifecycle/

That way it's great if you plan to throw bitcoin core or some of its compo= nents on secure hardware env, where lifecycles can be harder to manage.

True thanks the six of you for all the work done on= putting in place a better disclosure policy.

Be= st,
Antoine (the other one)
Le mercredi 3 juillet 2024 =C3=A0 14:10:1= 0 UTC+1, Antoine Poinsot a =C3=A9crit=C2=A0:
Hi everyone,

We are writing to announce the policy Bitcoin Core will be using for d= isclosing security vulnerabilities.

The project has historically done a poor job at publicly disclosing sec= urity-critical bugs, whether externally reported or found by contributors. = This has led to a situation where a lot of users perceive Bitcoin Core as n= ever having bugs. This perception is dangerous and, unfortunately, not accu= rate.

Besides a better communication of the risk of running outdated versions= , a consistent tracking and standardized disclosure process would set clear= expectations for security researchers, providing them with an incentive to= try finding vulnerabilities *and* to responsibly disclose them. Making the= security bugs available to the wider group of contributors can help preven= t future ones.

Over the past months, we've worked on setting this up. Here is the = disclosure policy we came up with.

When reported, a vulnerability will be assigned a severity category. We= differentiate between 4 classes of vulnerabilities:
- **Low**: bugs which are hard to exploit or have a low impact. For ins= tance a wallet bug which requires access to the victim's machine.
- **Medium**: bugs with limited impact. For instance a local network re= mote crash.
- **High**: bugs with significant impact. For instance a remote crash, = or a local network RCE.=20
- **Critical**: bugs which threaten the whole network's integrity. = For instance an inflation or coin theft bug.

**Low** severity bugs will be disclosed 2 weeks after a fixed version i= s released. A pre-announcement will be made at the same time as the release= .

**Medium** and **high** severity bugs will be disclosed 2 weeks after t= he last affected release goes EOL. This is a year after a fixed version was= first released. A pre-announcement will be made 2 weeks prior to disclosur= e.

**Critical** bugs are not considered in the standard policy, as they wo= uld most likely require an ad-hoc procedure.

Also, a bug may not be considered a vulnerability at all. A reported is= sue may be considered serious yet not require an embargo.

This policy will be gradually adopted in the coming months. Today we wi= ll disclose all vulnerabilities fixed in Bitcoin Core versions 0.21.0 and e= arlier. Later in july we will disclose all vulnerabilities fixed in Bitcoin= Core version 22.0. In august, all vulnerabilities fixed in Bitcoin Core ve= rsion 23.0. And so on until we run out of EOL versions to disclose vulnerab= ilities for.

Please let us know if this policy may have a significant negative impac= t for you.

Anthony, Antoine, Ava, Michael, Niklas and Pieter.

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoind= ev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msg= id/bitcoindev/2414b7a9-3f38-4641-a2c5-58aa37691fe5n%40googlegroups.com.=
------=_Part_198518_521066554.1720027206566-- ------=_Part_198517_162868746.1720027206566--