Author: Anthony Towns 2017-09-12 04:47:58
Published on: 2017-09-12T04:47:58+00:00
In an email exchange, Daniel Stadulis proposed treating different bug severity levels with different response plans. He compared this to Monero's three-level response process, which varies the response for each level of severity. Monero treats HIGH as an emergency, MEDIUM gets fixed in a point release, and LOW gets deferred to the next regular release. Additionally, Monero's documentation states that they will fix and report vulnerabilities within 90 days or researchers can publicly disclose the issue themselves. While this might not be a perfect fit for Bitcoin Core, it appears better than current practice. If you're an altcoin developer or just a Bitcoin Core user, it might be difficult to determine if the software you're using is secure. The Common Vulnerabilities and Exposures page on Bitcoin.it suggests that anything version 0.11 or later is safe. However, this conclusion is not accurate for everyone who doesn't track every commit/PR. The author proposes transitioning from keeping things private indefinitely to having a public disclosure policy. This could start with releasing information about security vulnerabilities fixed in earlier versions, with a regular policy adopted thereafter. This would give people relying on older, potentially vulnerable versions a realistic chance to privately prepare and deploy any upgrades or fixes they've missed out on until now.
Updated on: 2023-05-20T03:49:40.460581+00:00