Back in september 2023, during the Coredev in the Azores, we (the group of Bitcoin Core contributors present) discussed we (as a project) should do a better job of tracking and disclosing security-critical bugs. A bunch of us volunteered to dig up old reports (disclosed or not), set up some private infra to track vulnerabilities and come up with a disclosure policy. The group is comprised of Ava Chow, Michael Ford (fanquake), Niklas Gögge, Antoine Poinsot, Anthony Towns and Pieter Wuille.
In march 2024, during the Coredev in Berlin, this group had another discussion regarding the disclosure policy involving other long-time contributors. It was decided to go through all the past reports which were dug up to inform our disclosure policy. "If bug X was reported today, how should we treat it?". Following this the group had a couple of calls to decide on a disclosure policy.
When reported, a vulnerability would be assigned a severity category. We differentiate 4 classes of vulnerabilities:
- Low: bugs which are hard to exploit or have a low impact. For instance a wallet bug which requires access to the victim's machine.
- Medium: bugs with limited impact. For instance a local network remote crash.
- High: bugs with significant impact. For instance a remote crash, or a local network RCE.
- Critical: bugs which threaten the whole network's integrity. For instance an inflation or coin theft bug.
Critial bugs would most likely require an ad-hoc procedure. As they are very rare and it's hard to come up with a standard policy for those in advance, we do not consider them here. Instead we focus on a standard policy for the large majority of the reports, which range from low to high severity.
A bug may also not get into any category at all. A reported issue may be considered seriously yet not be classified as a vulnerability because it does not require secrecy.
Low severity bugs will be disclosed 2 weeks after a fix is released. A pre-announcement would be made at the same time as the release.
Medium and high severity bugs will be disclosed 2 weeks after the last affected release goes EOL. This is approximately a year and a half after it was first released. A per-announcement would be made 2 weeks earlier.
- Share with the wider groupe of Bitcoin Core contributors.
- Announce the policy to the wider Bitcoin developer community through the
bitcoin-dev
mailing list. Request feedback. We are not asking people to tell us how they think we should handle this, we are asking if this would be harmful to anybody for objective reasons we may have overlooked.
- Example of valid feedback: "I'm in charge of mining infrastructure. We are occasionally running a couple versions of Bitcoin Core behind for reason X. Given our past experience i believe it's possible for a business like ours to not be capable of upgrading within 2 weeks of the version we are running going EOL for reasons Y and Z. This is unlikely, still i think a pre-announcement period of 1 month instead would make sure to err on the safe side."
- Example of invalid feedback: "I just Google'd 'CVE best practices' and here is how you should do things instead or else it's an attack on Bitcoin" (except passed through ChatGPT to get to 10k words).
- Try to communicate it to a wider audience. Ping the Optech guys, etc..
We want to publish historical reports. We also want to gradually start enforcing the policy, to let the chance to everyone who didn't to upgrade. To this effect we are going to incrementally disclose security bugs which were fixed in past releases, up to the point where the bugs for all EOL releases will have been disclosed.
We'll start this month (june) with historical bugs: all which were fixed in 0.21.x and below (we have undisclosed bugs for as old as 0.11). Barring any good reason to change course (through the feedback received from users) we would continue in July for bugs fixed in 22.x. In August for bugs fixed in 23.x. Etc..
Thanks for all the comments.
@stickies-v i think the pre-announcements would be made through the bitcoin-dev mailing list at the same time as the announce of a release. Since announcing release N is effectively announcing release N-3 is now EOL. I expect when releasing version N we would now also state "Vulnerabilities affecting the previous version, if any, would be disclosed in approximately one year. Please upgrade as soon as you can.". Regarding the authentication of announcements, disclosures could be PGP signed. Pre-announcements could be too, but i'm not sure it's worth it.
@maflcko this is my personal opinion as well. That said, i believe this policy is better than no policy.
@harding it may be possible to figure out some covered fixes from the diff between two versions, but i don't expect it to be trivial in most cases for any realistic threat model. That said, we already intend to have the template you recommend. Then the pre-announcement period is just a reminder which in the worst case would reduce the disclosure period by 2 weeks.
@ariard i'm not sure how the first section is relevant for the disclosure policy. A security vulnerability report leak is already possible. Regarding the second section, i don't think using a convoluted numbering scheme in place of CVE numbers would be pertinent. Regarding reverse-engineering the fixes from the diff between two releases, as i mentioned above i don't think it's that trivial in most cases. CVE-2019-12998 is also not a good illustration of how Bitcoin Core usually does covered fixes. Regarding fork coins it's always a complicate decision. But for disclosing historical bugs i don't think this is anywhere near being aggressive.