Author: Anthony Towns 2017-09-11 02:15:07
Published on: 2017-09-11T02:15:07+00:00
Bitcoin developers are concerned about altcoins running old, unpatched forks of Bitcoin Core, which makes it difficult to disclose issues without putting people at risk. A discussion is encouraged to find reasonable approaches that can be taken. One approach suggested is a "responsible disclosure" timeline, where vulnerability is reported privately followed by sharing details amongst private trusted bitcoin core group. Basic information is then shared with a small group of trusted users and patches can be included in the git repo after 7 days. Release candidates with fix available after 90 days, official release including fix after 120 days, and CVE published with details and acknowledgments after day 134. Not publishing vulnerability info just gives everyone a false sense of security, encourages ignoring good security practices, and creates problems for both not upgrading bitcoind nodes or ensuring altcoin implementations keep up to date. Trusted bitcoin core group and small group of trusted users have been proposed for disclosures to ensure vulnerabilities are disclosed. The list of Bitcoin CVEs is outdated, and there has been no new CVEs posted for almost three years, except for CVE-2015-3641, but there appears to be no information publicly available for that issue. It would be of great benefit to end-users if the community of clients and altcoins derived from Bitcoin Core could be patched for any known vulnerabilities. Finally, the mailing list encourages discussing Bitcoin and CVEs, which has gone unanswered for six months.
Updated on: 2023-05-20T03:50:41.874865+00:00