Add SECURITY.md #679

pull jonasnick wants to merge 1 commits into bitcoin-core:master from jonasnick:add-security-md changing 2 files +20 −0
  1. jonasnick commented at 3:03 PM on October 28, 2019: contributor

    Fixes #646

    WIP because the secp256k1-security@bitcoincore.org email address doesn't exist yet. But it seems like the right place for vulnerability reports. security@bitcoincore.org would have the downside that it perhaps reaches more people than necessary. Ideally secp256k1-security would just forward to the three maintainers listed in SECURITY.md. @sipa @apoelstra is it okay to put you there? Fwiw I'm opting out for now because three people should be enough. @sipa do you know who to talk to about adding secp256k1-security@bitcoincore.org and the specifics about how it would work?

  2. Add SECURITY.md 78c3836341
  3. real-or-random commented at 5:36 PM on October 28, 2019: contributor

    @sipa do you know who to talk to about adding secp256k1-security@bitcoincore.org and the specifics about how it would work?

    sipa says @laanwj may be the right person to ping here.

    By the way, this PR is consistent with what was discussed in http://www.erisian.com.au/meetbot/bitcoin-core-dev/2019/bitcoin-core-dev.2019-08-15-19.00.log.html:

    19:19:53 <real_or_random> also e.g., I have an open issue about a security.md file
19:20:34 <real_or_random> which raises the question who should be in there. secp256k1 maintainers or bitcoin-core maintainers?
[...]
19:22:24 <wumpus> secp256k1 issues should probably be reported to secp256k1 maintainers, in general
19:22:51 <sipa> agree; though very serious issues that impact bitcoin could of course also be reported to bitcoin core
19:23:09 <real_or_random> wumpus: yes this seems sensible they can escalate to core if necessary
[...]
19:23:44 <wumpus> yes, if it affects use in bitcoin, or is even an issue that threatens bitcoin, that seems an exception

    Maybe we should add a note to the file that issues may be escalated to Bitcoin Core asking the reporter for permission.

  4. laanwj commented at 2:43 PM on November 7, 2019: member

    Yes, I can set up a forward secp256k1-security@bitcoincore.org, just let me know who to include (in private is fine).

  5. elichai commented at 2:48 PM on November 7, 2019: contributor

    Concept ACK. I think it's about time :)

  6. laanwj commented at 11:18 AM on November 25, 2019: member

    The e-mail forward has been added (might take some time to propagate)

  7. jonasnick renamed this:
    WIP: Add SECURITY.md
    Add SECURITY.md
    on Nov 25, 2019
  8. real-or-random commented at 1:49 PM on November 25, 2019: contributor

    ACK 78c38363412db3ea1cd1f0cc42dd1624c078ee32 I looked at the diff and verified my fingerprint

  9. sipa commented at 6:59 PM on November 25, 2019: contributor

    ACK, verified I can receive emails, and verified my fingerprint.

  10. apoelstra commented at 5:07 PM on November 26, 2019: contributor

    ACK my fingerprint is correct and I can receive email.

  11. jonasnick referenced this in commit 387d723c3f on Nov 26, 2019
  12. jonasnick merged this on Nov 26, 2019
  13. jonasnick closed this on Nov 26, 2019
  14. sipa cross-referenced this on Jun 9, 2020 from issue Update libsecp256k1 subtree by sipa
  15. fanquake referenced this in commit 8c97780db8 on Jun 13, 2020
  16. sidhujag referenced this in commit 8a3a072968 on Jun 13, 2020
  17. ComputerCraftr referenced this in commit b98f1c6e6c on Jun 16, 2020
  18. UdjinM6 referenced this in commit 9d36ba6570 on Aug 10, 2021
  19. 5tefan referenced this in commit 8ded2caa74 on Aug 12, 2021
  20. gades referenced this in commit d855cc511d on May 8, 2022
Contributors
jonasnickreal-or-randomlaanwjelichaisipaapoelstra
Linked (view graph)
#646 We should add a SECURITY.md
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin-core/secp256k1. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-18 19:15 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me