Author: Sergio Demian Lerner 2017-09-22 19:53:46
Published on: 2017-09-22T19:53:46+00:00
A discussion on the current de facto policy for disclosing vulnerabilities in Bitcoin has been taking place on the bitcoin-dev mailing list. The policies discussed include reporting vulnerabilities to security at bitcoincore.org, patching critical issues immediately, and releasing minimal details of the vulnerability to delay attacks. Non-critical vulnerabilities are dealt with by patching and reviewing in the ordinary flow of development. Devs will not disclose vulnerability details until >80% of bitcoin nodes have deployed the fixes, but it is suggested that this should change to after 95% of nodes have upgraded and fixes have been released for at least 6 months. It is also suggested that vulnerabilities be tracked with standard CVE codes. The discussion goes on to suggest modifications to the policy, such as early disclosure to zero or more altcoin developer(s) and using a global timeout for vulnerability disclosure. Finally, there is debate over whether documenting the security policy could give attackers an advantage in finding weak points, but many believe the benefits outweigh the risks.
Updated on: 2023-06-12T18:41:30.479260+00:00