Skip to content

Commit

Permalink
Added responsible discloure policy
Browse files Browse the repository at this point in the history 
Summary: Feedback from Bitcoin-ABC/bitcoinabc.org#24 indicated the disclosure policy should be part of the repo itself.  I totally agree.

Test Plan:
1. Read it carefully.
2. Try it out yourself.

Reviewers: deadalnix, schancel, Fabien, Mengerian, #bitcoin_abc

Reviewed By: deadalnix, Fabien, #bitcoin_abc

Subscribers: teamcity

Differential Revision: https://reviews.bitcoinabc.org/D1993
  • Loading branch information
@jasonbcox
jasonbcox committed Nov 7, 2018
1 parent bc151ca commit 91ba8bb
Show file tree
Hide file tree
Showing 3 changed files with 89 additions and 1 deletion.
5 changes: 5 additions & 0 deletions CONTRIBUTING.md
View file
Expand Up @@ -194,3 +194,8 @@ By contributing to this repository, you agree to license your work under the
MIT license unless specified otherwise in `contrib/debian/copyright` or at
the top of the file itself. Any work contributed where you are not the original
author must contain its license header with the original author(s) and source.

Disclosure Policy
-----------------

See [DISCLOSURE_POLICY](DISCLOSURE_POLICY).
78 changes: 78 additions & 0 deletions DISCLOSURE_POLICY.md
View file
@@ -0,0 +1,78 @@
# Responsible Disclosure Policy

Bitcoin ABC takes security very seriously. We greatly appreciate any and all disclosures of bugs and vulnerabilities that are done in a responsible manner. We will engage responsible disclosures according to this policy and put forth our best effort to fix disclosed vulnerabilities as well as reaching out to numerous node operators to deploy fixes in a timely manner.

## Responsible Disclosure Guidelines

Do not disclose any bug or vulnerability on public forums, message boards, mailing lists, etc. prior to responsibly disclosing to Bitcoin ABC and giving sufficient time for the issue to be fixed and deployed.
Do not execute on or exploit any vulnerability. This includes testnet, as both mainnet and testnet exploits are effectively public disclosure. Regtest mode may be used to test bugs locally.

## Reporting a Bug or Vulnerability

When reporting a bug or vulnerability, please provide the following to security@bitcoinabc.org:
A short summary of the potential impact of the issue (if known).
Details explaining how to reproduce the issue or how an exploit may be formed.
Your name (optional). If provided, we will provide credit for disclosure. Otherwise, you will be treated anonymously and your privacy will be respected.
Your email or other means of contacting you.
A PGP key/fingerprint for us to provided encrypted responses to your disclosure. If this is not provided, we cannot guarantee that you will receive a response prior to a fix being made and deployed.

## Encrypting the Disclosure

We highly encourage all disclosures to be encrypted to prevent interception and exploitation by third-parties prior to a fix being developed and deployed. Please encrypt using this PGP public key with id: `3199472CFB54790D90B8ECB4B1606D6B42B7F4C7`

It may be obtained via:
```
gpg --recv-keys 3199472CFB54790D90B8ECB4B1606D6B42B7F4C7
```

Below are some basic instructions for encrypting your disclosure on Linux if you are unfamiliar with GPG:

1. If you don’t already have a PGP key, first download GPG:
For Debian based distributions:
```
sudo apt-get install gpg
```
For Archlinux based distributions:
```
pacman -S gnupg
```
2. Generate a PGP key:
```
gpg --full-generate-key
```
3. Select “RSA and RSA”
4. Enter a key size of 4096.
5. Follow the remaining prompts.
6. Save your disclosure report to a plain text file, then encrypt:
```
gpg --output mydisclosurefile.asc --encrypt --recipient security@bitcoinabc.org mydisclosurefile
```

## Backup PGP Keys

These PGP fingerprints and emails are provided only as backups in case you are unable to contact Bitcoin ABC via the security email above.

#### Amaury Sechet
```
Bitcoin ABC Lead Developer
deadalnix at gmail dot com
629D7E5DDDA0512BD5860F2C5D7922BBD649C4A7
```

#### Shammah Chancellor
```
Bitcoin ABC Developer
disclosure at shablag dot com
7A55A44F3A3239827C8A594E7D3958C44427674A
```

#### Jason B. Cox
```
Bitcoin ABC Developer
contact at jasonbcox dot com
3BB16D00D9A6D281591BDC76E4486356E7A81D2C
```

## Making changes to this disclosure

Note that any changes to this disclosure should be mirrored in a pull request to the [bitcoinabc.org repo](https://github.com/Bitcoin-ABC/bitcoinabc.org).
7 changes: 6 additions & 1 deletion README.md
View file
Expand Up @@ -41,4 +41,9 @@ This Github repository contains only source code of releases.

Bitcoin ABC development takes place at https://reviews.bitcoinabc.org/

If you would like to contribute, please read [CONTRIBUTING](CONTRIBUTING.md)
If you would like to contribute, please read [CONTRIBUTING](CONTRIBUTING.md).

Disclosure Policy
-----------------

See [DISCLOSURE_POLICY](DISCLOSURE_POLICY).

0 comments on commit 91ba8bb

Please sign in to comment.