Mention reporting security issues responsibly #9115

pull paveljanik wants to merge 1 commits into bitcoin:master from paveljanik:20161109_secissues changing 1 files +2 −0

paveljanik commented at 11:54 AM on November 9, 2016: contributor

Add a notice about reporting security issues responsibly to the GitHub issue template.
fanquake added the label Docs and Output on Nov 9, 2016
jonasschnelli commented at 12:40 PM on November 9, 2016: contributor

Concept ACK, though, this reminds me, that we should offer a way how users can send encrypted mails to security@bitcoincore.org
laanwj commented at 6:07 AM on November 10, 2016: member

Concept ACK.

that we should offer a way how users can send encrypted mails to security@bitcoincore.org

This is a challenge in itself. I know of no way to do encrypted group addresses. Some security reporting addresses use a shared private GPG key specifically generated for that purpose, but after retiring the alert key we're probably not too happy to adapt private shared keys. Though this one would be used for reading mail only I guess...
jonasschnelli commented at 7:21 AM on November 10, 2016: contributor

Yes. It's a challenge and involves writing to specific developers. But IMO – unencrypted emails – slightly defeats the purpose of "responsible disclosed submitting" of security critical issues. But we can discuss that further on https://github.com/bitcoin-core/bitcoincore.org
paveljanik commented at 7:24 AM on November 10, 2016: contributor

Yes, this discussion belongs there.

But... It would be nice to be able to encrypt such message inside the Bitcoin Core UI, using 1-of-n concept.
in .github/ISSUE_TEMPLATE.md:None in ac859f6b24 outdated
```
   3 | @@ -4,6 +4,8 @@ This issue tracker is only for technical issues related to bitcoin-core.
   4 |  
   5 |  General bitcoin questions and/or support requests and are best directed to the [Bitcoin StackExchange](https://bitcoin.stackexchange.com).
   6 |  
   7 | +For reporting security issues, please use [security@bitcoincore.org](mailto:security@bitcoincore.org).
```
laanwj commented at 11:03 AM on November 10, 2016:

Indeed. The discussion belongs there, and so does the documentation. Maybe refer to the instructions for reporting security issues on the contact page: https://bitcoincore.org/en/contact/ instead of mentioning the address directly? If we then happen to have GPG set up, it can be mentioned there without having to put everything into this template.

paveljanik commented at 11:11 AM on November 10, 2016:

I wanted to do so first, but the URLs are fragile and can change. And when the separate "Report security issues" page happens at bitcoincore.org, we will have to change URL here. Mail will probably be the same.

MarcoFalke commented at 11:35 AM on November 10, 2016:

I think https://bitcoincore.org/en/contact/ will always be the page for contact, even if there is a subsection with a list of gpg keys.

paveljanik commented at 12:15 PM on November 10, 2016:

How can you predict it will be a subsection? What if en-GB speakers will ask for en-GB and en-US page?

laanwj commented at 1:37 PM on November 10, 2016:

"I wanted to do so first, but the URLs are fragile and can change" so are email addresses. It's not impossible to update this again, it just should be rare.
Mention reporting security issues responsibly 7d1de3032d
paveljanik force-pushed on Nov 10, 2016
paveljanik commented at 1:42 PM on November 10, 2016: contributor

OK, OK ;-)
fanquake commented at 10:21 AM on November 11, 2016: member

ACK 7d1de30
laanwj merged this on Nov 11, 2016
laanwj closed this on Nov 11, 2016
laanwj referenced this in commit bfc7aad008 on Nov 11, 2016
codablock referenced this in commit 8b7eeb610b on Jan 15, 2018
andvgal referenced this in commit e4147c75d1 on Jan 6, 2019
CryptoCentric referenced this in commit 5af19de5ec on Feb 24, 2019
MarcoFalke locked this on Sep 8, 2021

Contributors

Labels