1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
|
Delivery-date: Wed, 03 Jul 2024 06:10:17 -0700
Received: from mail-qv1-f56.google.com ([209.85.219.56])
by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94.2)
(envelope-from <bitcoindev+bncBDL4XL646QOBBME3SW2AMGQEQT7Q5YY@googlegroups.com>)
id 1sOzkX-0002xh-A1
for bitcoindev@gnusha.org; Wed, 03 Jul 2024 06:10:17 -0700
Received: by mail-qv1-f56.google.com with SMTP id 6a1803df08f44-6b07ef34bfcsf12597836d6.1
for <bitcoindev@gnusha.org>; Wed, 03 Jul 2024 06:10:16 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1720012210; cv=pass;
d=google.com; s=arc-20160816;
b=bWwMBTFGoww/K2EZDTUXYBAnxfuYRxBz7OIbJ6ap9LgklFPgBwAIt7tIN9+uIC2k5g
f1nJDGNOC1yNjpO2rzQ3yyN3ZunlhrzoACBBG6zvXZZkwiULCojybIhrIuYBx9gD0isx
opUv5HQebTlPDKcZjALT4JTMdYP0t1xFOtHvhxcq8V4czOI21YyEgn6CNyNGTpUoJgdI
JKHTOw2lIDsDGJ0czA6oNOdq98dQADeuOk5dhFuMdB4/BnyivUDNQuBums6MRXffmEj5
vSgy9g8gS/OcJhJzCwTOiZayneDxb3109Yo1/j8MQUmr5lsbfwuqiS0SAQ2RbdE24hc7
MTWA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:reply-to:content-transfer-encoding
:mime-version:feedback-id:message-id:subject:from:to:date
:dkim-signature;
bh=kw/HVF1bkkYWldSWnWYkME7+YjfvL77LBch/vhe1FE8=;
fh=shYemKSfHf3eE+DzITfx5heXgRDACvsfogw3rfHsVaw=;
b=qfO2ckkvB1HayENrYl1IWIyHao40ciPdbelvse3iuHPgRpnI0wqxBjAoaE+MpGXS7W
/vY5f1MSAfsJOGM2L/A9HvmTjF7IZ4dfgKqN3B9UjAVk2phOIlJrUYDH30Mtik/RGdTn
9KG1RIsxC7VBH4WUtM44PkXSam3qGI/i92+rSJOB5HanlmwjuWuxPkKLqRWMEgyCgwiq
ay4tBN9Ws4f9W5Cfzc2NAc4sBQUy3RdbMNtc/oM8iRvZh1lPVVg8Nd+9SL5CsFeIr93i
Pnz4Ql8URrq/Mc5212iWHVLAW4p+EorQnPIASZFMPV94o0T2F4+4KtusZzVHLoVXZaC9
KE8w==;
darn=gnusha.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
dkim=pass header.i=@protonmail.com header.s=protonmail3 header.b=b0Y6nIxF;
spf=pass (google.com: domain of darosior@protonmail.com designates 185.70.43.25 as permitted sender) smtp.mailfrom=darosior@protonmail.com;
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=20230601; t=1720012210; x=1720617010; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:reply-to
:x-original-authentication-results:x-original-sender
:content-transfer-encoding:mime-version:feedback-id:message-id
:subject:from:to:date:from:to:cc:subject:date:message-id:reply-to;
bh=kw/HVF1bkkYWldSWnWYkME7+YjfvL77LBch/vhe1FE8=;
b=AbF4+Qmb7xSzT9ziXebdEPlAsEtzHjetp4OEGrhfd1OW7WZ4b9CnQokzjVht0FH2we
xZAHkEfNfYUK3bIPjkgP48DX95kl6l3keyMRlAvgw/9U42u5AH71iPpuesoXjienrUDs
i1h9Yc5GCfF6fhuEt8GCqPq1XEuc9HHjXfsEcTJxd+5Re9CRfRGp7Ievg62rWpokynYa
zLzH6M+zqCE1dFqovIiWFibi4c8k2zK4e8ilgXK/mJaI1lD6LnX+9hqxpFKmlTuseWUW
GwNUyJFiuAJ3vYjz9oneSjkAUaSPiDza5rLW4TOLGDmYPY933UdU4b65yHyXSCCZHfyV
DH1A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1720012210; x=1720617010;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:reply-to
:x-original-authentication-results:x-original-sender
:content-transfer-encoding:mime-version:feedback-id:message-id
:subject:from:to:date:x-beenthere:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=kw/HVF1bkkYWldSWnWYkME7+YjfvL77LBch/vhe1FE8=;
b=TlA5Pevc0LKqa823iT5lg1WEGZjL/KsS1Y78LYUAeBUZbtT4hMrWHT75Jns0Fw+z//
BFXr7mg52pnIDJKNoaI0wy8ICoVIks4uMFDOFAN+1uutbFZQp2XEoT/TY81l+f8J3ZpR
HEPd0NAtmih4XZ4Ou/rLbEh8OT2dDuarA5CjQZmribyq5ck1OS44IREv/kA9paQ4UFf0
gvmWb5J2tQY6f2j4bUov0WKxR+FSt3RZYQiDVKXg8rsBhfmch9JyCkvVDrR3sMgWk2gm
jS2ctxp6u3JosCia3XHcBjiGYOwnDbPLVeGnfcgtKP0SV8a0cp13hQ/4GrfDs9aFmrvL
zsGQ==
X-Forwarded-Encrypted: i=2; AJvYcCVCfDTtKhQKUPeHxN4E24ctwjsLgAO9yZkRUeqVuXzCREjtmE3+s37ElAUYKPEjcP+x/Qdg1TgNMeCAF/EzcZj5Ik4CaII=
X-Gm-Message-State: AOJu0Ywq+XwrBVOq/MPx6wvWPBjlUiSf2wWmt9Or1LzUNScKyw6zfipq
LxAM2lriWkXPM6HKPGlvLZEcl3X0rg548XZIuUkwDj/LkRihcWcR
X-Google-Smtp-Source: AGHT+IEqT/yODjcmqkeNHiS0k23q1ZFWcBbD0VVZilTZ/VYaP0pLOWaCiJOEgEabaBKQ36REnH/d7g==
X-Received: by 2002:a05:6214:21e5:b0:6b5:e0d3:31b3 with SMTP id 6a1803df08f44-6b5e18aa334mr25854046d6.9.1720012210110;
Wed, 03 Jul 2024 06:10:10 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com
Received: by 2002:a05:6214:4014:b0:6b4:ff5f:6a65 with SMTP id
6a1803df08f44-6b59fcf6469ls87426086d6.2.-pod-prod-05-us; Wed, 03 Jul 2024
06:10:08 -0700 (PDT)
X-Received: by 2002:a05:6214:e4e:b0:6b0:6f65:2c93 with SMTP id 6a1803df08f44-6b5b713f49bmr4283036d6.12.1720012208534;
Wed, 03 Jul 2024 06:10:08 -0700 (PDT)
Received: by 2002:a05:620a:2981:b0:79d:5863:c65b with SMTP id af79cd13be357-79ee114e9fbms85a;
Wed, 3 Jul 2024 05:57:54 -0700 (PDT)
X-Received: by 2002:a05:6512:3da4:b0:52c:c5c4:43d2 with SMTP id 2adb3069b0e04-52e826fb074mr8702918e87.47.1720011472621;
Wed, 03 Jul 2024 05:57:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1720011472; cv=none;
d=google.com; s=arc-20160816;
b=WNwy6e+2gmch+6Ly8Z5C/JArenpVwrjdeUWO4smVyPvkUXK3AcBGIgqtNrJzb56O+v
5hrERBJFH9s2ZpNsrv6O/ywzJPP4NVOzZ42Ka1vZIT/Qnj1zi2XyF6hMC/eSFzJeHpUx
2SVkTb9Fz5kskFdPkE5woS88WKGWkX3XCoD08TCRVLis+AKb48dXBTsb+sa7o2uzrNgn
8NSMhhKPFsTVveGumdawd075mh7GbchOwo4XoqMK4lxQRk0IVzt4xAZ84KvnDwFU3uOj
cRdl6w5xy1KLrifHBuhi/tk4Ca1SRMw6EMHUMQKdwqTYA8erAPpdeTsl+KYV/kT93xL3
aP+g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=content-transfer-encoding:mime-version:feedback-id:message-id
:subject:from:to:date:dkim-signature;
bh=/cfM805xDiy8BZQurusdpe99Qg1LPZetw8CiC5Iq97w=;
fh=DMP0F9ULS1guKiqimntQRCN8ZraraesEgQuVcn7F0Z0=;
b=BT5I03DFmUQ/5lt5w9OcY/ETyZ0lHWpBARS9+l1c3Q3OEk2nVTEzY68cVKu3iETySm
lwujQyTtYdhL6POhuU0/UGl9Ty2Xw04NPgYgYEDu5i7+z5RwIofmlQEe+h4nj5N28vX/
5ne9BH8tv2Kvpp9i+hyJoCiDU9gHjC19aqgdn57xhqL1zYXLWs3pgtntH2jKBfwNdUX5
EaJB43c5vu9X6F6fMGTVLatd8dSU2L9msPYoRuyPbofq6mcLrBR5KNJd6HsEyB9hfHSk
8r4tE9zZ59MdLlHN3BnodUAxt6LLws1YyjIIgKrlRSSD4A4tNU8ulWB/dw5i0g2b8M9d
vkWQ==;
dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
dkim=pass header.i=@protonmail.com header.s=protonmail3 header.b=b0Y6nIxF;
spf=pass (google.com: domain of darosior@protonmail.com designates 185.70.43.25 as permitted sender) smtp.mailfrom=darosior@protonmail.com;
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.com
Received: from mail-4325.protonmail.ch (mail-4325.protonmail.ch. [185.70.43.25])
by gmr-mx.google.com with ESMTPS id 2adb3069b0e04-52e7ab2d726si294889e87.12.2024.07.03.05.57.52
for <bitcoindev@googlegroups.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Wed, 03 Jul 2024 05:57:52 -0700 (PDT)
Received-SPF: pass (google.com: domain of darosior@protonmail.com designates 185.70.43.25 as permitted sender) client-ip=185.70.43.25;
Date: Wed, 03 Jul 2024 12:57:48 +0000
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
From: "'Antoine Poinsot' via Bitcoin Development Mailing List" <bitcoindev@googlegroups.com>
Subject: [bitcoindev] Bitcoin Core Security Disclosure Policy
Message-ID: <rALfxJ5b5hyubGwdVW3F4jtugxnXRvc-tjD_qwW7z73rd5j7lXGNdEHWikmSdmNG3vkSOIwEryZzOZr_DgmVDDmt9qsX0gpRAcpY9CfwSk4=@protonmail.com>
Feedback-ID: 7060259:user:proton
X-Pm-Message-ID: 2a7eec2def5f7e09d87b7968b1882c213626e475
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Original-Sender: darosior@protonmail.com
X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass
header.i=@protonmail.com header.s=protonmail3 header.b=b0Y6nIxF;
spf=pass (google.com: domain of darosior@protonmail.com designates
185.70.43.25 as permitted sender) smtp.mailfrom=darosior@protonmail.com;
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.com
X-Original-From: Antoine Poinsot <darosior@protonmail.com>
Reply-To: Antoine Poinsot <darosior@protonmail.com>
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -1.0 (-)
Hi everyone,
We are writing to announce the policy Bitcoin Core will be using for discl=
osing security vulnerabilities.
The project has historically done a poor job at publicly disclosing securit=
y-critical bugs, whether externally reported or found by contributors. This=
has led to a situation where a lot of users perceive Bitcoin Core as never=
having bugs. This perception is dangerous and, unfortunately, not accurate=
.
Besides a better communication of the risk of running outdated versions, a =
consistent tracking and standardized disclosure process would set clear exp=
ectations for security researchers, providing them with an incentive to try=
finding vulnerabilities *and* to responsibly disclose them. Making the sec=
urity bugs available to the wider group of contributors can help prevent fu=
ture ones.
Over the past months, we've worked on setting this up. Here is the disclosu=
re policy we came up with.
When reported, a vulnerability will be assigned a severity category. We dif=
ferentiate between 4 classes of vulnerabilities:
- **Low**: bugs which are hard to exploit or have a low impact. For instanc=
e a wallet bug which requires access to the victim's machine.
- **Medium**: bugs with limited impact. For instance a local network remote=
crash.
- **High**: bugs with significant impact. For instance a remote crash, or a=
local network RCE.=20
- **Critical**: bugs which threaten the whole network's integrity. For inst=
ance an inflation or coin theft bug.
**Low** severity bugs will be disclosed 2 weeks after a fixed version is re=
leased. A pre-announcement will be made at the same time as the release.
**Medium** and **high** severity bugs will be disclosed 2 weeks after the l=
ast affected release goes EOL. This is a year after a fixed version was fir=
st released. A pre-announcement will be made 2 weeks prior to disclosure.
**Critical** bugs are not considered in the standard policy, as they would =
most likely require an ad-hoc procedure.
Also, a bug may not be considered a vulnerability at all. A reported issue =
may be considered serious yet not require an embargo.
This policy will be gradually adopted in the coming months. Today we will d=
isclose all vulnerabilities fixed in Bitcoin Core versions 0.21.0 and earli=
er. Later in july we will disclose all vulnerabilities fixed in Bitcoin Cor=
e version 22.0. In august, all vulnerabilities fixed in Bitcoin Core versio=
n 23.0. And so on until we run out of EOL versions to disclose vulnerabilit=
ies for.
Please let us know if this policy may have a significant negative impact fo=
r you.
Anthony, Antoine, Ava, Michael, Niklas and Pieter.
--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/=
bitcoindev/rALfxJ5b5hyubGwdVW3F4jtugxnXRvc-tjD_qwW7z73rd5j7lXGNdEHWikmSdmNG=
3vkSOIwEryZzOZr_DgmVDDmt9qsX0gpRAcpY9CfwSk4%3D%40protonmail.com.
|
