Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
Already on GitHub? Sign in to your account
Responsible Disclosure section or page #236
Comments
saivann
closed this
in
a77a490
Sep 4, 2013
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
gavinandresen commentedSep 4, 2013
This has been on my TODO list for months, and I haven't got around to creating a pull request. So I'm going to file an issue and hope somebody else has time:
We need either a section on the Resources/Development page or a link and a separate page that answers the question "I'm a security researcher and I found a vulnerability in Bitcoin; who do I tell?"
That section/page should say something like:
Non-critical vulnerabilities can be emailed to any of the core developers or sent to the private bitcoin-security@lists.sourceforge.net mailing list. An example of a non-critical vulnerability would be an expensive-to-carry-out denial of service attack.
Critical vulnerabilities that are too sensitive for unencrypted email should be sent to one or more of the core developers, encrypted with their PGP key(s).