Author: Nathan Wilcox 2017-09-22 02:00:31
Published on: 2017-09-22T02:00:31+00:00
In a recent discussion on the bitcoin-dev mailing list, Anthony Towns proposed a modification to current de facto policy for handling vulnerabilities in Bitcoin. The existing policy involves reporting vulnerabilities through security at bitcoincore.org and dealing with critical issues immediately through a released patch, wide notification of the need to upgrade, and minimal disclosure of the actual problem. Non-critical vulnerabilities are dealt with through the ordinary flow of development, including patch and review, and backport of a fix or workaround from master to the current released version. Devs will attempt to ensure that publication of the fix does not reveal the nature of the vulnerability. Prior to a vulnerability becoming public, devs will recommend to friendly altcoin devs that they should catch up with fixes. Towns proposes including zero or more altcoin developers in point 4, such that those altcoins also deploy mitigations as early as Bitcoin. He also advocates for disclosures of vulnerabilities to explicitly name which altcoin developers were included in his proposed Early Altcoin Disclosure and Point 6. This allows for closer coordination with altcoins to minimize economic damage.In response, Nathan Wilcox pointed out that publishing a policy might increase organizational vulnerability, but so might not publishing a policy. Publishing after a reasonable timeout has many benefits. Many security researchers learn from vulnerability disclosures across many disciplines and industries. Future protocol designers of things potentially unrelated to blockchain altogether may also learn important lessons.Overall, Towns' proposal suggests a policy that allows for closer coordination with altcoins, while maintaining a balance between inclusiveness and secrecy. However, some argue that disclosing vulnerabilities publicly may harm the development process by giving attackers a better handle on weaknesses. Ultimately, the benefits of disclosing vulnerabilities may outweigh the risks, and publishing a policy would be good for users and developers.
Updated on: 2023-06-12T18:41:20.271011+00:00