Delivery-date: Wed, 03 Jul 2024 06:10:17 -0700
Received: from mail-qv1-f56.google.com ([209.85.219.56])
by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94.2)
(envelope-from <bitcoindev+bncBDL4XL646QOBBME3SW2AMGQEQT7Q5YY@googlegroups.com>)
id 1sOzkX-0002xh-A1
for bitcoindev@gnusha.org; Wed, 03 Jul 2024 06:10:17 -0700
Received: by mail-qv1-f56.google.com with SMTP id 6a1803df08f44-6b07ef34bfcsf12597836d6.1
for <bitcoindev@gnusha.org>; Wed, 03 Jul 2024 06:10:16 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1720012210; cv=pass;
d=google.com; s=arc-20160816;
b=bWwMBTFGoww/K2EZDTUXYBAnxfuYRxBz7OIbJ6ap9LgklFPgBwAIt7tIN9+uIC2k5g
f1nJDGNOC1yNjpO2rzQ3yyN3ZunlhrzoACBBG6zvXZZkwiULCojybIhrIuYBx9gD0isx
opUv5HQebTlPDKcZjALT4JTMdYP0t1xFOtHvhxcq8V4czOI21YyEgn6CNyNGTpUoJgdI
JKHTOw2lIDsDGJ0czA6oNOdq98dQADeuOk5dhFuMdB4/BnyivUDNQuBums6MRXffmEj5
vSgy9g8gS/OcJhJzCwTOiZayneDxb3109Yo1/j8MQUmr5lsbfwuqiS0SAQ2RbdE24hc7
MTWA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:reply-to:content-transfer-encoding
:mime-version:feedback-id:message-id:subject:from:to:date
:dkim-signature;
bh=kw/HVF1bkkYWldSWnWYkME7+YjfvL77LBch/vhe1FE8=;
fh=shYemKSfHf3eE+DzITfx5heXgRDACvsfogw3rfHsVaw=;
b=qfO2ckkvB1HayENrYl1IWIyHao40ciPdbelvse3iuHPgRpnI0wqxBjAoaE+MpGXS7W
/vY5f1MSAfsJOGM2L/A9HvmTjF7IZ4dfgKqN3B9UjAVk2phOIlJrUYDH30Mtik/RGdTn
9KG1RIsxC7VBH4WUtM44PkXSam3qGI/i92+rSJOB5HanlmwjuWuxPkKLqRWMEgyCgwiq
ay4tBN9Ws4f9W5Cfzc2NAc4sBQUy3RdbMNtc/oM8iRvZh1lPVVg8Nd+9SL5CsFeIr93i
Pnz4Ql8URrq/Mc5212iWHVLAW4p+EorQnPIASZFMPV94o0T2F4+4KtusZzVHLoVXZaC9
KE8w==;
darn=gnusha.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
dkim=pass header.i=@protonmail.com header.s=protonmail3 header.b=b0Y6nIxF;
spf=pass (google.com: domain of darosior@protonmail.com designates 185.70.43.25 as permitted sender) smtp.mailfrom=darosior@protonmail.com;
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=20230601; t=1720012210; x=1720617010; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:reply-to
:x-original-authentication-results:x-original-sender
:content-transfer-encoding:mime-version:feedback-id:message-id
:subject:from:to:date:from:to:cc:subject:date:message-id:reply-to;
bh=kw/HVF1bkkYWldSWnWYkME7+YjfvL77LBch/vhe1FE8=;
b=AbF4+Qmb7xSzT9ziXebdEPlAsEtzHjetp4OEGrhfd1OW7WZ4b9CnQokzjVht0FH2we
xZAHkEfNfYUK3bIPjkgP48DX95kl6l3keyMRlAvgw/9U42u5AH71iPpuesoXjienrUDs
i1h9Yc5GCfF6fhuEt8GCqPq1XEuc9HHjXfsEcTJxd+5Re9CRfRGp7Ievg62rWpokynYa
zLzH6M+zqCE1dFqovIiWFibi4c8k2zK4e8ilgXK/mJaI1lD6LnX+9hqxpFKmlTuseWUW
GwNUyJFiuAJ3vYjz9oneSjkAUaSPiDza5rLW4TOLGDmYPY933UdU4b65yHyXSCCZHfyV
DH1A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1720012210; x=1720617010;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:reply-to
:x-original-authentication-results:x-original-sender
:content-transfer-encoding:mime-version:feedback-id:message-id
:subject:from:to:date:x-beenthere:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=kw/HVF1bkkYWldSWnWYkME7+YjfvL77LBch/vhe1FE8=;
b=TlA5Pevc0LKqa823iT5lg1WEGZjL/KsS1Y78LYUAeBUZbtT4hMrWHT75Jns0Fw+z//
BFXr7mg52pnIDJKNoaI0wy8ICoVIks4uMFDOFAN+1uutbFZQp2XEoT/TY81l+f8J3ZpR
HEPd0NAtmih4XZ4Ou/rLbEh8OT2dDuarA5CjQZmribyq5ck1OS44IREv/kA9paQ4UFf0
gvmWb5J2tQY6f2j4bUov0WKxR+FSt3RZYQiDVKXg8rsBhfmch9JyCkvVDrR3sMgWk2gm
jS2ctxp6u3JosCia3XHcBjiGYOwnDbPLVeGnfcgtKP0SV8a0cp13hQ/4GrfDs9aFmrvL
zsGQ==
X-Forwarded-Encrypted: i=2; AJvYcCVCfDTtKhQKUPeHxN4E24ctwjsLgAO9yZkRUeqVuXzCREjtmE3+s37ElAUYKPEjcP+x/Qdg1TgNMeCAF/EzcZj5Ik4CaII=
X-Gm-Message-State: AOJu0Ywq+XwrBVOq/MPx6wvWPBjlUiSf2wWmt9Or1LzUNScKyw6zfipq
LxAM2lriWkXPM6HKPGlvLZEcl3X0rg548XZIuUkwDj/LkRihcWcR
X-Google-Smtp-Source: AGHT+IEqT/yODjcmqkeNHiS0k23q1ZFWcBbD0VVZilTZ/VYaP0pLOWaCiJOEgEabaBKQ36REnH/d7g==
X-Received: by 2002:a05:6214:21e5:b0:6b5:e0d3:31b3 with SMTP id 6a1803df08f44-6b5e18aa334mr25854046d6.9.1720012210110;
Wed, 03 Jul 2024 06:10:10 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com
Received: by 2002:a05:6214:4014:b0:6b4:ff5f:6a65 with SMTP id
6a1803df08f44-6b59fcf6469ls87426086d6.2.-pod-prod-05-us; Wed, 03 Jul 2024
06:10:08 -0700 (PDT)
X-Received: by 2002:a05:6214:e4e:b0:6b0:6f65:2c93 with SMTP id 6a1803df08f44-6b5b713f49bmr4283036d6.12.1720012208534;
Wed, 03 Jul 2024 06:10:08 -0700 (PDT)
Received: by 2002:a05:620a:2981:b0:79d:5863:c65b with SMTP id af79cd13be357-79ee114e9fbms85a;
Wed, 3 Jul 2024 05:57:54 -0700 (PDT)
X-Received: by 2002:a05:6512:3da4:b0:52c:c5c4:43d2 with SMTP id 2adb3069b0e04-52e826fb074mr8702918e87.47.1720011472621;
Wed, 03 Jul 2024 05:57:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1720011472; cv=none;
d=google.com; s=arc-20160816;
b=WNwy6e+2gmch+6Ly8Z5C/JArenpVwrjdeUWO4smVyPvkUXK3AcBGIgqtNrJzb56O+v
5hrERBJFH9s2ZpNsrv6O/ywzJPP4NVOzZ42Ka1vZIT/Qnj1zi2XyF6hMC/eSFzJeHpUx
2SVkTb9Fz5kskFdPkE5woS88WKGWkX3XCoD08TCRVLis+AKb48dXBTsb+sa7o2uzrNgn
8NSMhhKPFsTVveGumdawd075mh7GbchOwo4XoqMK4lxQRk0IVzt4xAZ84KvnDwFU3uOj
cRdl6w5xy1KLrifHBuhi/tk4Ca1SRMw6EMHUMQKdwqTYA8erAPpdeTsl+KYV/kT93xL3
aP+g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=content-transfer-encoding:mime-version:feedback-id:message-id
:subject:from:to:date:dkim-signature;
bh=/cfM805xDiy8BZQurusdpe99Qg1LPZetw8CiC5Iq97w=;
fh=DMP0F9ULS1guKiqimntQRCN8ZraraesEgQuVcn7F0Z0=;
b=BT5I03DFmUQ/5lt5w9OcY/ETyZ0lHWpBARS9+l1c3Q3OEk2nVTEzY68cVKu3iETySm
lwujQyTtYdhL6POhuU0/UGl9Ty2Xw04NPgYgYEDu5i7+z5RwIofmlQEe+h4nj5N28vX/
5ne9BH8tv2Kvpp9i+hyJoCiDU9gHjC19aqgdn57xhqL1zYXLWs3pgtntH2jKBfwNdUX5
EaJB43c5vu9X6F6fMGTVLatd8dSU2L9msPYoRuyPbofq6mcLrBR5KNJd6HsEyB9hfHSk
8r4tE9zZ59MdLlHN3BnodUAxt6LLws1YyjIIgKrlRSSD4A4tNU8ulWB/dw5i0g2b8M9d
vkWQ==;
dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
dkim=pass header.i=@protonmail.com header.s=protonmail3 header.b=b0Y6nIxF;
spf=pass (google.com: domain of darosior@protonmail.com designates 185.70.43.25 as permitted sender) smtp.mailfrom=darosior@protonmail.com;
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.com
Received: from mail-4325.protonmail.ch (mail-4325.protonmail.ch. [185.70.43.25])
by gmr-mx.google.com with ESMTPS id 2adb3069b0e04-52e7ab2d726si294889e87.12.2024.07.03.05.57.52
for <bitcoindev@googlegroups.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Wed, 03 Jul 2024 05:57:52 -0700 (PDT)
Received-SPF: pass (google.com: domain of darosior@protonmail.com designates 185.70.43.25 as permitted sender) client-ip=185.70.43.25;
Date: Wed, 03 Jul 2024 12:57:48 +0000
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
From: "'Antoine Poinsot' via Bitcoin Development Mailing List" <bitcoindev@googlegroups.com>
Subject: [bitcoindev] Bitcoin Core Security Disclosure Policy
Message-ID: <rALfxJ5b5hyubGwdVW3F4jtugxnXRvc-tjD_qwW7z73rd5j7lXGNdEHWikmSdmNG3vkSOIwEryZzOZr_DgmVDDmt9qsX0gpRAcpY9CfwSk4=@protonmail.com>
Feedback-ID: 7060259:user:proton
X-Pm-Message-ID: 2a7eec2def5f7e09d87b7968b1882c213626e475
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Original-Sender: darosior@protonmail.com
X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass
header.i=@protonmail.com header.s=protonmail3 header.b=b0Y6nIxF;
spf=pass (google.com: domain of darosior@protonmail.com designates
185.70.43.25 as permitted sender) smtp.mailfrom=darosior@protonmail.com;
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.com
X-Original-From: Antoine Poinsot <darosior@protonmail.com>
Reply-To: Antoine Poinsot <darosior@protonmail.com>
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -1.0 (-)
Hi everyone,
We are writing to announce the policy Bitcoin Core will be using for discl=
osing security vulnerabilities.
The project has historically done a poor job at publicly disclosing securit=
y-critical bugs, whether externally reported or found by contributors. This=
has led to a situation where a lot of users perceive Bitcoin Core as never=
having bugs. This perception is dangerous and, unfortunately, not accurate=
.
Besides a better communication of the risk of running outdated versions, a =
consistent tracking and standardized disclosure process would set clear exp=
ectations for security researchers, providing them with an incentive to try=
finding vulnerabilities *and* to responsibly disclose them. Making the sec=
urity bugs available to the wider group of contributors can help prevent fu=
ture ones.
Over the past months, we've worked on setting this up. Here is the disclosu=
re policy we came up with.
When reported, a vulnerability will be assigned a severity category. We dif=
ferentiate between 4 classes of vulnerabilities:
- **Low**: bugs which are hard to exploit or have a low impact. For instanc=
e a wallet bug which requires access to the victim's machine.
- **Medium**: bugs with limited impact. For instance a local network remote=
crash.
- **High**: bugs with significant impact. For instance a remote crash, or a=
local network RCE.=20
- **Critical**: bugs which threaten the whole network's integrity. For inst=
ance an inflation or coin theft bug.
**Low** severity bugs will be disclosed 2 weeks after a fixed version is re=
leased. A pre-announcement will be made at the same time as the release.
**Medium** and **high** severity bugs will be disclosed 2 weeks after the l=
ast affected release goes EOL. This is a year after a fixed version was fir=
st released. A pre-announcement will be made 2 weeks prior to disclosure.
**Critical** bugs are not considered in the standard policy, as they would =
most likely require an ad-hoc procedure.
Also, a bug may not be considered a vulnerability at all. A reported issue =
may be considered serious yet not require an embargo.
This policy will be gradually adopted in the coming months. Today we will d=
isclose all vulnerabilities fixed in Bitcoin Core versions 0.21.0 and earli=
er. Later in july we will disclose all vulnerabilities fixed in Bitcoin Cor=
e version 22.0. In august, all vulnerabilities fixed in Bitcoin Core versio=
n 23.0. And so on until we run out of EOL versions to disclose vulnerabilit=
ies for.
Please let us know if this policy may have a significant negative impact fo=
r you.
Anthony, Antoine, Ava, Michael, Niklas and Pieter.
--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/=
bitcoindev/rALfxJ5b5hyubGwdVW3F4jtugxnXRvc-tjD_qwW7z73rd5j7lXGNdEHWikmSdmNG=
3vkSOIwEryZzOZr_DgmVDDmt9qsX0gpRAcpY9CfwSk4%3D%40protonmail.com.