Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 104EC504 for ; Tue, 12 Sep 2017 04:48:10 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from azure.erisian.com.au (cerulean.erisian.com.au [139.162.42.226]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 6A7B913E for ; Tue, 12 Sep 2017 04:48:09 +0000 (UTC) Received: from aj@azure.erisian.com.au (helo=sapphire.erisian.com.au) by azure.erisian.com.au with esmtpsa (Exim 4.84_2 #1 (Debian)) id 1drd7F-0000qk-Lx; Tue, 12 Sep 2017 14:48:07 +1000 Received: by sapphire.erisian.com.au (sSMTP sendmail emulation); Tue, 12 Sep 2017 14:47:58 +1000 Date: Tue, 12 Sep 2017 14:47:58 +1000 From: Anthony Towns To: Bitcoin Protocol Discussion Message-ID: <20170912044758.GE19080@erisian.com.au> References: <3e4541f3-f65c-5199-5e85-9a65ea5142e7@bitcartel.com> <20170911021506.GA19080@erisian.com.au> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) X-Spam-Score: -1.9 X-Spam-Score-int: -18 X-Spam-Bar: - X-Spam-Status: No, score=0.0 required=5.0 tests=RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=disabled version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: Re: [bitcoin-dev] Responsible disclosure of bugs X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Sep 2017 04:48:10 -0000 On Mon, Sep 11, 2017 at 10:43:52AM -0700, Daniel Stadulis wrote: > I think it's relevant to treat different bug severity levels with different > response plans.  That makes sense. For comparison, Monero defines a response process that has three levels and varies the response for each: ] a. HIGH: impacts network as a whole, has potential to break entire ] network, results in the loss of monero, or is on a scale of great ] catastrophe ] b. MEDIUM: impacts individual nodes, wallets, or must be carefully ] exploited ] c. LOW: is not easily exploitable -- https://github.com/monero-project/monero/blob/master/VULNERABILITY_RESPONSE_PROCESS.md Among other things, HIGH gets treated as an emergency, MEDIUM get fixed in a point release; LOW get deferred to the next regular release eg. Additionally, independently of the severity, Monero's doc says they'll either get their act together with a fix and report within 90 days, or otherwise the researcher that found the vulnerability has the right to publically disclose the issue themselves... I wouldn't say that's a perfect fit for bitcoin core (at a minimum, given the size of the ecosystem and how much care needs to go into releases, I think 90 days is probably too short), but it seems better than current practice... For comparison, if you're an altcoin developer or just bitcoin core user, and are trying to work out whether the software you're using is secure; if you do a quick google and end up at: https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures you might conclude that as long as you're running version 0.11 or later, you're fine. That doesn't seem like an accurate conclusion for people to draw; but if you're not tracking every commit/PR, how do you do any better than that? Maybe transitioning from keeping things private indefinitely to having a public disclosure policy is tricky. Maybe it might work to build up to it, something like: * We'll start releasing info about security vulnerabilities fixed in 0.12.0 and earlier releases as of 2018-01-01 * Then we'll continue with 0.13.0 and earlier as of 2018-03-01 * Likewise for 0.14.0 as of 2018-05-01 * Thereafter we'll adopt a regular policy at http://... That or something like it at least gives people relying on older, potentially vulnerable versions a realistic chance to privately prepare and deploy any upgrades or fixes they've missed out on until now. Cheers, aj