We provide security updates for the following versions:
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
We take security seriously. If you discover a security vulnerability, please follow these steps:
Security vulnerabilities should be reported privately to avoid exposing users to potential risks.
Send an email to: security@thebitcoincommons.org
Include the following information:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Your contact information
- Acknowledgment: Within 48 hours
- Initial assessment: Within 1 week
- Resolution: Depends on severity and complexity
- We will work with you to understand and resolve the issue
- We will notify you when the fix is ready
- We will coordinate public disclosure timing
- We will credit you in security advisories (unless you prefer anonymity)
Security Scope: Mathematical consensus rule implementation
- In Scope: Consensus rule correctness, mathematical accuracy
- Out of Scope: Network security, key management, wallet security
Critical Dependencies: All consensus-critical dependencies are pinned to exact versions
Security Scope: Protocol abstraction and variant support
- In Scope: Protocol parameter validation, variant isolation
- Out of Scope: Network security, consensus rule implementation
Security Scope: Bitcoin node implementation
- In Scope: Node security, RPC security, storage security
- Out of Scope: Wallet security, key management
Important: This implementation is designed for pre-production testing and development. Additional hardening is required for production mainnet use.
- blvm-consensus: Production-ready for consensus validation
- blvm-protocol: Production-ready for protocol abstraction
- blvm-node: Pre-production testing only (see SECURITY.md in repository)
- All components are safe for development and testing
- Regtest mode recommended for development
- Isolated testing environments preferred
- Dependency Management: Use exact version pinning for consensus-critical dependencies
- Testing: Run comprehensive test suites before deployment
- Code Review: All consensus-critical changes require review
- Documentation: Document security assumptions and boundaries
- Version Pinning: Pin to exact versions in production
- Testing: Thoroughly test in isolated environments
- Monitoring: Monitor for security updates
- Reporting: Report any security concerns immediately
Security updates will be released as:
- Patch releases: For security fixes
- Minor releases: For security improvements
- Major releases: For breaking security changes
We are committed to regular security audits:
- External audits: Planned for production releases
- Internal reviews: Ongoing code review process
- Community feedback: Open to security community input
For security-related questions or concerns:
- Email: security@thebitcoincommons.org
- PGP Key: [Available on request]
- Response Time: Within 48 hours
We thank the security community for their contributions and responsible disclosure practices.