1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
|
Delivery-date: Mon, 08 Jul 2024 18:16:22 -0700
Received: from mail-yb1-f188.google.com ([209.85.219.188])
by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94.2)
(envelope-from <bitcoindev+bncBC3PT7FYWAMRBXM6WK2AMGQEL72UNCQ@googlegroups.com>)
id 1sQzSv-0005J7-H7
for bitcoindev@gnusha.org; Mon, 08 Jul 2024 18:16:22 -0700
Received: by mail-yb1-f188.google.com with SMTP id 3f1490d57ef6-e032d4cf26asf8903857276.3
for <bitcoindev@gnusha.org>; Mon, 08 Jul 2024 18:16:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=20230601; t=1720487775; x=1721092575; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-sender:mime-version
:subject:references:in-reply-to:message-id:to:from:date:sender:from
:to:cc:subject:date:message-id:reply-to;
bh=FG05YwUTez7FWpUSFLdRz4gfaYY3Brhy7tzYV3xfylc=;
b=Hw2y5+/HufL6V+Hub3mAe6Cp0t1wtliullFNaE/W2x1gR960Oma6wyM05zlBoHYfXZ
GUhewDKyJC62CwWJ9nJWQMvxPd7uNgiyBhc78J1scOoLhNwdB3rW9siDJbdTXwxYS8+R
34DtHCE8dg0nc4MhiXrSEiiu3ccE+YIyhWfBG0zbRzs9WfPN9AbUyldKAECLxurf5Fv6
YkSyDgtiTCgijTs39M58v8afWu9SIiLeo5IyRbs2cR/mYEQxxjjbBsbR1w3iKOO2Qvvj
xnJ1Qqc50dku7Pc6nZ07Cy0oRM+1nGrt9XNUDHHDtyFaBP/84NWY7W6FGBTjdTrJ9tYS
N4Zw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1720487775; x=1721092575; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-sender:mime-version
:subject:references:in-reply-to:message-id:to:from:date:from:to:cc
:subject:date:message-id:reply-to;
bh=FG05YwUTez7FWpUSFLdRz4gfaYY3Brhy7tzYV3xfylc=;
b=jE+DC2Menl4f5YFpWjO2tuOiAQmy7IvOuKB5iQoOVO69GCMXSPgXCwc8959ctlxILd
NlcuSOqh0sX76j7a/L1a2Yolet0URPUskB0lO9hK/fGfZELe3hmR3xq5HKTKx6IHb+iD
nbRgf4mDMeWwrlgaOd891MP3EJYvnQGd4xbEhA1vh46NizPNTIg2sR6A25sWzx0RWKJk
kxGZMIGuLtCCMd11EG9RDKCgi/0pMoYxnte27hNHiqpzdXjvTf4fFO+8PGMRzj0fnKxQ
sBYZliZmLS7AZYNKK85sN5PEYSeCz9YYsM3QsMbBGdtaMtfYxu7zUJHyooklGXGRAiYK
nvWw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1720487775; x=1721092575;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-sender:mime-version
:subject:references:in-reply-to:message-id:to:from:date:x-beenthere
:x-gm-message-state:sender:from:to:cc:subject:date:message-id
:reply-to;
bh=FG05YwUTez7FWpUSFLdRz4gfaYY3Brhy7tzYV3xfylc=;
b=ojTOnGoGj0aZCGB6xOgMJdH46BWuEtRgWsDXB/iadftUuddQlZ2gD585ihCL3EUn6P
me6WGNhrC3kUYM/VwpYOHUloOWSUlzOniEb3DGuPSNjEXXe37oEnZmFQFgAfPO12aw57
rAqUAaedYmeSVF9RqeOmvzEI94PKNZkSxXnSHRgKRlXgLQCrs7p+l+pmN5eqnj6DW5+Y
amJqdGXatFjSmumEWO0L76wY93oNu3q3WMXmhjB+iG+xqCpVDFJTpzS/RPOK4K+k4M2H
Lxe/d/HXyFCEhXBBN4SNAJa7yIDIZCLbhaqaSUt9+DukD/8msrs0I+LfVHL+3/MpGfFo
WhJg==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=1; AJvYcCVmqMhPdtNi2rY29aoezvGEA5CV894XzBYB5hdgkw816Byg9GXwGht8YkaloTctEwIzosIxSwbkYDTCQthB2wbjRW1NiWc=
X-Gm-Message-State: AOJu0YxFMXJ2UL4383UcUAcpnoH6bYSVdrfWObyZeUu16Rw8+VM4NSuJ
SE3MwhePNmYPUYki4oG4+z8lvpVe5+rcKQwWyu+nekxPpnmh12dV
X-Google-Smtp-Source: AGHT+IH5RNBGd0kL34Cj3J4IQT1x/pCh7gQFhJkCwb1NtNpvtohhStUiDtsZ4wiQBvEiG5sjvFVPxQ==
X-Received: by 2002:a25:8011:0:b0:e02:bf87:7cce with SMTP id 3f1490d57ef6-e041b177ddamr1426891276.64.1720487775234;
Mon, 08 Jul 2024 18:16:15 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com
Received: by 2002:a05:6902:120d:b0:dfa:77ba:dc1f with SMTP id
3f1490d57ef6-e03bd0b100bls6623237276.2.-pod-prod-06-us; Mon, 08 Jul 2024
18:16:13 -0700 (PDT)
X-Received: by 2002:a05:6902:2409:b0:e03:a0dd:43c1 with SMTP id 3f1490d57ef6-e041af4108cmr70608276.0.1720487773690;
Mon, 08 Jul 2024 18:16:13 -0700 (PDT)
Received: by 2002:a05:690c:2c0e:b0:627:7f59:2eee with SMTP id 00721157ae682-6514347c5d4ms7b3;
Wed, 3 Jul 2024 10:20:08 -0700 (PDT)
X-Received: by 2002:a05:6902:2b13:b0:df4:8ff6:47f4 with SMTP id 3f1490d57ef6-e036eaece89mr1214991276.1.1720027206791;
Wed, 03 Jul 2024 10:20:06 -0700 (PDT)
Date: Wed, 3 Jul 2024 10:20:06 -0700 (PDT)
From: Antoine Riard <antoine.riard@gmail.com>
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Message-Id: <2414b7a9-3f38-4641-a2c5-58aa37691fe5n@googlegroups.com>
In-Reply-To: <rALfxJ5b5hyubGwdVW3F4jtugxnXRvc-tjD_qwW7z73rd5j7lXGNdEHWikmSdmNG3vkSOIwEryZzOZr_DgmVDDmt9qsX0gpRAcpY9CfwSk4=@protonmail.com>
References: <rALfxJ5b5hyubGwdVW3F4jtugxnXRvc-tjD_qwW7z73rd5j7lXGNdEHWikmSdmNG3vkSOIwEryZzOZr_DgmVDDmt9qsX0gpRAcpY9CfwSk4=@protonmail.com>
Subject: [bitcoindev] Re: Bitcoin Core Security Disclosure Policy
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_Part_198517_162868746.1720027206566"
X-Original-Sender: antoine.riard@gmail.com
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.5 (/)
------=_Part_198517_162868746.1720027206566
Content-Type: multipart/alternative;
boundary="----=_Part_198518_521066554.1720027206566"
------=_Part_198518_521066554.1720027206566
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Hello Antoine,
For information the lifecycle of each bitcoin core release has been updated=
=20
with EOL dates for each version:
https://bitcoincore.org/en/lifecycle/
That way it's great if you plan to throw bitcoin core or some of its=20
components on secure hardware env, where lifecycles can be harder to manage=
.
True thanks the six of you for all the work done on putting in place a=20
better disclosure policy.
Best,
Antoine (the other one)
Le mercredi 3 juillet 2024 =C3=A0 14:10:10 UTC+1, Antoine Poinsot a =C3=A9c=
rit :
> Hi everyone,
>
> We are writing to announce the policy Bitcoin Core will be using for=20
> disclosing security vulnerabilities.
>
> The project has historically done a poor job at publicly disclosing=20
> security-critical bugs, whether externally reported or found by=20
> contributors. This has led to a situation where a lot of users perceive=
=20
> Bitcoin Core as never having bugs. This perception is dangerous and,=20
> unfortunately, not accurate.
>
> Besides a better communication of the risk of running outdated versions, =
a=20
> consistent tracking and standardized disclosure process would set clear=
=20
> expectations for security researchers, providing them with an incentive t=
o=20
> try finding vulnerabilities *and* to responsibly disclose them. Making th=
e=20
> security bugs available to the wider group of contributors can help preve=
nt=20
> future ones.
>
> Over the past months, we've worked on setting this up. Here is the=20
> disclosure policy we came up with.
>
> When reported, a vulnerability will be assigned a severity category. We=
=20
> differentiate between 4 classes of vulnerabilities:
> - **Low**: bugs which are hard to exploit or have a low impact. For=20
> instance a wallet bug which requires access to the victim's machine.
> - **Medium**: bugs with limited impact. For instance a local network=20
> remote crash.
> - **High**: bugs with significant impact. For instance a remote crash, or=
=20
> a local network RCE.=20
> - **Critical**: bugs which threaten the whole network's integrity. For=20
> instance an inflation or coin theft bug.
>
> **Low** severity bugs will be disclosed 2 weeks after a fixed version is=
=20
> released. A pre-announcement will be made at the same time as the release=
.
>
> **Medium** and **high** severity bugs will be disclosed 2 weeks after the=
=20
> last affected release goes EOL. This is a year after a fixed version was=
=20
> first released. A pre-announcement will be made 2 weeks prior to disclosu=
re.
>
> **Critical** bugs are not considered in the standard policy, as they woul=
d=20
> most likely require an ad-hoc procedure.
>
> Also, a bug may not be considered a vulnerability at all. A reported issu=
e=20
> may be considered serious yet not require an embargo.
>
> This policy will be gradually adopted in the coming months. Today we will=
=20
> disclose all vulnerabilities fixed in Bitcoin Core versions 0.21.0 and=20
> earlier. Later in july we will disclose all vulnerabilities fixed in=20
> Bitcoin Core version 22.0. In august, all vulnerabilities fixed in Bitcoi=
n=20
> Core version 23.0. And so on until we run out of EOL versions to disclose=
=20
> vulnerabilities for.
>
> Please let us know if this policy may have a significant negative impact=
=20
> for you.
>
> Anthony, Antoine, Ava, Michael, Niklas and Pieter.
>
--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/=
bitcoindev/2414b7a9-3f38-4641-a2c5-58aa37691fe5n%40googlegroups.com.
------=_Part_198518_521066554.1720027206566
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Hello Antoine,<div><br /></div><div>For information the lifecycle of each b=
itcoin core release has been updated with EOL dates for each version:</div>=
<div>https://bitcoincore.org/en/lifecycle/<br /></div><div><br /></div><div=
>That way it's great if you plan to throw bitcoin core or some of its compo=
nents on secure hardware env, where lifecycles can be harder to manage.</di=
v><div><br /></div><div>True thanks the six of you for all the work done on=
putting in place a better disclosure policy.</div><div><br /></div><div>Be=
st,</div><div>Antoine (the other one)</div><div class=3D"gmail_quote"><div =
dir=3D"auto" class=3D"gmail_attr">Le mercredi 3 juillet 2024 =C3=A0 14:10:1=
0 UTC+1, Antoine Poinsot a =C3=A9crit=C2=A0:<br/></div><blockquote class=3D=
"gmail_quote" style=3D"margin: 0 0 0 0.8ex; border-left: 1px solid rgb(204,=
204, 204); padding-left: 1ex;">Hi everyone,
<br>
<br>We are writing to announce the policy Bitcoin Core will be using for d=
isclosing security vulnerabilities.
<br>
<br>The project has historically done a poor job at publicly disclosing sec=
urity-critical bugs, whether externally reported or found by contributors. =
This has led to a situation where a lot of users perceive Bitcoin Core as n=
ever having bugs. This perception is dangerous and, unfortunately, not accu=
rate.
<br>
<br>Besides a better communication of the risk of running outdated versions=
, a consistent tracking and standardized disclosure process would set clear=
expectations for security researchers, providing them with an incentive to=
try finding vulnerabilities *and* to responsibly disclose them. Making the=
security bugs available to the wider group of contributors can help preven=
t future ones.
<br>
<br>Over the past months, we've worked on setting this up. Here is the =
disclosure policy we came up with.
<br>
<br>When reported, a vulnerability will be assigned a severity category. We=
differentiate between 4 classes of vulnerabilities:
<br>- **Low**: bugs which are hard to exploit or have a low impact. For ins=
tance a wallet bug which requires access to the victim's machine.
<br>- **Medium**: bugs with limited impact. For instance a local network re=
mote crash.
<br>- **High**: bugs with significant impact. For instance a remote crash, =
or a local network RCE.=20
<br>- **Critical**: bugs which threaten the whole network's integrity. =
For instance an inflation or coin theft bug.
<br>
<br>**Low** severity bugs will be disclosed 2 weeks after a fixed version i=
s released. A pre-announcement will be made at the same time as the release=
.
<br>
<br>**Medium** and **high** severity bugs will be disclosed 2 weeks after t=
he last affected release goes EOL. This is a year after a fixed version was=
first released. A pre-announcement will be made 2 weeks prior to disclosur=
e.
<br>
<br>**Critical** bugs are not considered in the standard policy, as they wo=
uld most likely require an ad-hoc procedure.
<br>
<br>Also, a bug may not be considered a vulnerability at all. A reported is=
sue may be considered serious yet not require an embargo.
<br>
<br>This policy will be gradually adopted in the coming months. Today we wi=
ll disclose all vulnerabilities fixed in Bitcoin Core versions 0.21.0 and e=
arlier. Later in july we will disclose all vulnerabilities fixed in Bitcoin=
Core version 22.0. In august, all vulnerabilities fixed in Bitcoin Core ve=
rsion 23.0. And so on until we run out of EOL versions to disclose vulnerab=
ilities for.
<br>
<br>Please let us know if this policy may have a significant negative impac=
t for you.
<br>
<br>Anthony, Antoine, Ava, Michael, Niklas and Pieter.
<br></blockquote></div>
<p></p>
-- <br />
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List" group.<br />
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoind=
ev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion on the web visit <a href=3D"https://groups.google.c=
om/d/msgid/bitcoindev/2414b7a9-3f38-4641-a2c5-58aa37691fe5n%40googlegroups.=
com?utm_medium=3Demail&utm_source=3Dfooter">https://groups.google.com/d/msg=
id/bitcoindev/2414b7a9-3f38-4641-a2c5-58aa37691fe5n%40googlegroups.com</a>.=
<br />
------=_Part_198518_521066554.1720027206566--
------=_Part_198517_162868746.1720027206566--
|
