Delivery-date: Wed, 03 Jul 2024 06:10:17 -0700 Received: from mail-qv1-f56.google.com ([209.85.219.56]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1sOzkX-0002xh-A1 for bitcoindev@gnusha.org; Wed, 03 Jul 2024 06:10:17 -0700 Received: by mail-qv1-f56.google.com with SMTP id 6a1803df08f44-6b07ef34bfcsf12597836d6.1 for ; Wed, 03 Jul 2024 06:10:16 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1720012210; cv=pass; d=google.com; s=arc-20160816; b=bWwMBTFGoww/K2EZDTUXYBAnxfuYRxBz7OIbJ6ap9LgklFPgBwAIt7tIN9+uIC2k5g f1nJDGNOC1yNjpO2rzQ3yyN3ZunlhrzoACBBG6zvXZZkwiULCojybIhrIuYBx9gD0isx opUv5HQebTlPDKcZjALT4JTMdYP0t1xFOtHvhxcq8V4czOI21YyEgn6CNyNGTpUoJgdI JKHTOw2lIDsDGJ0czA6oNOdq98dQADeuOk5dhFuMdB4/BnyivUDNQuBums6MRXffmEj5 vSgy9g8gS/OcJhJzCwTOiZayneDxb3109Yo1/j8MQUmr5lsbfwuqiS0SAQ2RbdE24hc7 MTWA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:content-transfer-encoding :mime-version:feedback-id:message-id:subject:from:to:date :dkim-signature; bh=kw/HVF1bkkYWldSWnWYkME7+YjfvL77LBch/vhe1FE8=; fh=shYemKSfHf3eE+DzITfx5heXgRDACvsfogw3rfHsVaw=; b=qfO2ckkvB1HayENrYl1IWIyHao40ciPdbelvse3iuHPgRpnI0wqxBjAoaE+MpGXS7W /vY5f1MSAfsJOGM2L/A9HvmTjF7IZ4dfgKqN3B9UjAVk2phOIlJrUYDH30Mtik/RGdTn 9KG1RIsxC7VBH4WUtM44PkXSam3qGI/i92+rSJOB5HanlmwjuWuxPkKLqRWMEgyCgwiq ay4tBN9Ws4f9W5Cfzc2NAc4sBQUy3RdbMNtc/oM8iRvZh1lPVVg8Nd+9SL5CsFeIr93i Pnz4Ql8URrq/Mc5212iWHVLAW4p+EorQnPIASZFMPV94o0T2F4+4KtusZzVHLoVXZaC9 KE8w==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@protonmail.com header.s=protonmail3 header.b=b0Y6nIxF; spf=pass (google.com: domain of darosior@protonmail.com designates 185.70.43.25 as permitted sender) smtp.mailfrom=darosior@protonmail.com; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1720012210; x=1720617010; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender :content-transfer-encoding:mime-version:feedback-id:message-id :subject:from:to:date:from:to:cc:subject:date:message-id:reply-to; bh=kw/HVF1bkkYWldSWnWYkME7+YjfvL77LBch/vhe1FE8=; b=AbF4+Qmb7xSzT9ziXebdEPlAsEtzHjetp4OEGrhfd1OW7WZ4b9CnQokzjVht0FH2we xZAHkEfNfYUK3bIPjkgP48DX95kl6l3keyMRlAvgw/9U42u5AH71iPpuesoXjienrUDs i1h9Yc5GCfF6fhuEt8GCqPq1XEuc9HHjXfsEcTJxd+5Re9CRfRGp7Ievg62rWpokynYa zLzH6M+zqCE1dFqovIiWFibi4c8k2zK4e8ilgXK/mJaI1lD6LnX+9hqxpFKmlTuseWUW GwNUyJFiuAJ3vYjz9oneSjkAUaSPiDza5rLW4TOLGDmYPY933UdU4b65yHyXSCCZHfyV DH1A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720012210; x=1720617010; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender :content-transfer-encoding:mime-version:feedback-id:message-id :subject:from:to:date:x-beenthere:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=kw/HVF1bkkYWldSWnWYkME7+YjfvL77LBch/vhe1FE8=; b=TlA5Pevc0LKqa823iT5lg1WEGZjL/KsS1Y78LYUAeBUZbtT4hMrWHT75Jns0Fw+z// BFXr7mg52pnIDJKNoaI0wy8ICoVIks4uMFDOFAN+1uutbFZQp2XEoT/TY81l+f8J3ZpR HEPd0NAtmih4XZ4Ou/rLbEh8OT2dDuarA5CjQZmribyq5ck1OS44IREv/kA9paQ4UFf0 gvmWb5J2tQY6f2j4bUov0WKxR+FSt3RZYQiDVKXg8rsBhfmch9JyCkvVDrR3sMgWk2gm jS2ctxp6u3JosCia3XHcBjiGYOwnDbPLVeGnfcgtKP0SV8a0cp13hQ/4GrfDs9aFmrvL zsGQ== X-Forwarded-Encrypted: i=2; AJvYcCVCfDTtKhQKUPeHxN4E24ctwjsLgAO9yZkRUeqVuXzCREjtmE3+s37ElAUYKPEjcP+x/Qdg1TgNMeCAF/EzcZj5Ik4CaII= X-Gm-Message-State: AOJu0Ywq+XwrBVOq/MPx6wvWPBjlUiSf2wWmt9Or1LzUNScKyw6zfipq LxAM2lriWkXPM6HKPGlvLZEcl3X0rg548XZIuUkwDj/LkRihcWcR X-Google-Smtp-Source: AGHT+IEqT/yODjcmqkeNHiS0k23q1ZFWcBbD0VVZilTZ/VYaP0pLOWaCiJOEgEabaBKQ36REnH/d7g== X-Received: by 2002:a05:6214:21e5:b0:6b5:e0d3:31b3 with SMTP id 6a1803df08f44-6b5e18aa334mr25854046d6.9.1720012210110; Wed, 03 Jul 2024 06:10:10 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com Received: by 2002:a05:6214:4014:b0:6b4:ff5f:6a65 with SMTP id 6a1803df08f44-6b59fcf6469ls87426086d6.2.-pod-prod-05-us; Wed, 03 Jul 2024 06:10:08 -0700 (PDT) X-Received: by 2002:a05:6214:e4e:b0:6b0:6f65:2c93 with SMTP id 6a1803df08f44-6b5b713f49bmr4283036d6.12.1720012208534; Wed, 03 Jul 2024 06:10:08 -0700 (PDT) Received: by 2002:a05:620a:2981:b0:79d:5863:c65b with SMTP id af79cd13be357-79ee114e9fbms85a; Wed, 3 Jul 2024 05:57:54 -0700 (PDT) X-Received: by 2002:a05:6512:3da4:b0:52c:c5c4:43d2 with SMTP id 2adb3069b0e04-52e826fb074mr8702918e87.47.1720011472621; Wed, 03 Jul 2024 05:57:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1720011472; cv=none; d=google.com; s=arc-20160816; b=WNwy6e+2gmch+6Ly8Z5C/JArenpVwrjdeUWO4smVyPvkUXK3AcBGIgqtNrJzb56O+v 5hrERBJFH9s2ZpNsrv6O/ywzJPP4NVOzZ42Ka1vZIT/Qnj1zi2XyF6hMC/eSFzJeHpUx 2SVkTb9Fz5kskFdPkE5woS88WKGWkX3XCoD08TCRVLis+AKb48dXBTsb+sa7o2uzrNgn 8NSMhhKPFsTVveGumdawd075mh7GbchOwo4XoqMK4lxQRk0IVzt4xAZ84KvnDwFU3uOj cRdl6w5xy1KLrifHBuhi/tk4Ca1SRMw6EMHUMQKdwqTYA8erAPpdeTsl+KYV/kT93xL3 aP+g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:feedback-id:message-id :subject:from:to:date:dkim-signature; bh=/cfM805xDiy8BZQurusdpe99Qg1LPZetw8CiC5Iq97w=; fh=DMP0F9ULS1guKiqimntQRCN8ZraraesEgQuVcn7F0Z0=; b=BT5I03DFmUQ/5lt5w9OcY/ETyZ0lHWpBARS9+l1c3Q3OEk2nVTEzY68cVKu3iETySm lwujQyTtYdhL6POhuU0/UGl9Ty2Xw04NPgYgYEDu5i7+z5RwIofmlQEe+h4nj5N28vX/ 5ne9BH8tv2Kvpp9i+hyJoCiDU9gHjC19aqgdn57xhqL1zYXLWs3pgtntH2jKBfwNdUX5 EaJB43c5vu9X6F6fMGTVLatd8dSU2L9msPYoRuyPbofq6mcLrBR5KNJd6HsEyB9hfHSk 8r4tE9zZ59MdLlHN3BnodUAxt6LLws1YyjIIgKrlRSSD4A4tNU8ulWB/dw5i0g2b8M9d vkWQ==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@protonmail.com header.s=protonmail3 header.b=b0Y6nIxF; spf=pass (google.com: domain of darosior@protonmail.com designates 185.70.43.25 as permitted sender) smtp.mailfrom=darosior@protonmail.com; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.com Received: from mail-4325.protonmail.ch (mail-4325.protonmail.ch. [185.70.43.25]) by gmr-mx.google.com with ESMTPS id 2adb3069b0e04-52e7ab2d726si294889e87.12.2024.07.03.05.57.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Jul 2024 05:57:52 -0700 (PDT) Received-SPF: pass (google.com: domain of darosior@protonmail.com designates 185.70.43.25 as permitted sender) client-ip=185.70.43.25; Date: Wed, 03 Jul 2024 12:57:48 +0000 To: Bitcoin Development Mailing List From: "'Antoine Poinsot' via Bitcoin Development Mailing List" Subject: [bitcoindev] Bitcoin Core Security Disclosure Policy Message-ID: Feedback-ID: 7060259:user:proton X-Pm-Message-ID: 2a7eec2def5f7e09d87b7968b1882c213626e475 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Original-Sender: darosior@protonmail.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@protonmail.com header.s=protonmail3 header.b=b0Y6nIxF; spf=pass (google.com: domain of darosior@protonmail.com designates 185.70.43.25 as permitted sender) smtp.mailfrom=darosior@protonmail.com; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.com X-Original-From: Antoine Poinsot Reply-To: Antoine Poinsot Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -1.0 (-) Hi everyone, We are writing to announce the policy Bitcoin Core will be using for discl= osing security vulnerabilities. The project has historically done a poor job at publicly disclosing securit= y-critical bugs, whether externally reported or found by contributors. This= has led to a situation where a lot of users perceive Bitcoin Core as never= having bugs. This perception is dangerous and, unfortunately, not accurate= . Besides a better communication of the risk of running outdated versions, a = consistent tracking and standardized disclosure process would set clear exp= ectations for security researchers, providing them with an incentive to try= finding vulnerabilities *and* to responsibly disclose them. Making the sec= urity bugs available to the wider group of contributors can help prevent fu= ture ones. Over the past months, we've worked on setting this up. Here is the disclosu= re policy we came up with. When reported, a vulnerability will be assigned a severity category. We dif= ferentiate between 4 classes of vulnerabilities: - **Low**: bugs which are hard to exploit or have a low impact. For instanc= e a wallet bug which requires access to the victim's machine. - **Medium**: bugs with limited impact. For instance a local network remote= crash. - **High**: bugs with significant impact. For instance a remote crash, or a= local network RCE.=20 - **Critical**: bugs which threaten the whole network's integrity. For inst= ance an inflation or coin theft bug. **Low** severity bugs will be disclosed 2 weeks after a fixed version is re= leased. A pre-announcement will be made at the same time as the release. **Medium** and **high** severity bugs will be disclosed 2 weeks after the l= ast affected release goes EOL. This is a year after a fixed version was fir= st released. A pre-announcement will be made 2 weeks prior to disclosure. **Critical** bugs are not considered in the standard policy, as they would = most likely require an ad-hoc procedure. Also, a bug may not be considered a vulnerability at all. A reported issue = may be considered serious yet not require an embargo. This policy will be gradually adopted in the coming months. Today we will d= isclose all vulnerabilities fixed in Bitcoin Core versions 0.21.0 and earli= er. Later in july we will disclose all vulnerabilities fixed in Bitcoin Cor= e version 22.0. In august, all vulnerabilities fixed in Bitcoin Core versio= n 23.0. And so on until we run out of EOL versions to disclose vulnerabilit= ies for. Please let us know if this policy may have a significant negative impact fo= r you. Anthony, Antoine, Ava, Michael, Niklas and Pieter. --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/= bitcoindev/rALfxJ5b5hyubGwdVW3F4jtugxnXRvc-tjD_qwW7z73rd5j7lXGNdEHWikmSdmNG= 3vkSOIwEryZzOZr_DgmVDDmt9qsX0gpRAcpY9CfwSk4%3D%40protonmail.com.