Skip to content

Mention reporting security issues responsibly #9115

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
laanwj merged 1 commit into from
Nov 11, 2016
Merged

Mention reporting security issues responsibly #9115

laanwj merged 1 commit into from
Nov 11, 2016

Conversation

@paveljanik
Copy link
Contributor

@paveljanik paveljanik commented Nov 9, 2016

Add a notice about reporting security issues responsibly to the GitHub issue template.

@fanquake fanquake added the Docs label Nov 9, 2016
@jonasschnelli
Copy link
Contributor

jonasschnelli commented Nov 9, 2016

Concept ACK, though, this reminds me, that we should offer a way how users can send encrypted mails to [email protected]

@laanwj
Copy link
Member

laanwj commented Nov 10, 2016
edited
Loading

Concept ACK.

that we should offer a way how users can send encrypted mails to [email protected]

This is a challenge in itself. I know of no way to do encrypted group addresses. Some security reporting addresses use a shared private GPG key specifically generated for that purpose, but after retiring the alert key we're probably not too happy to adapt private shared keys. Though this one would be used for reading mail only I guess...

@jonasschnelli
Copy link
Contributor

jonasschnelli commented Nov 10, 2016

Yes. It's a challenge and involves writing to specific developers.
But IMO – unencrypted emails – slightly defeats the purpose of "responsible disclosed submitting" of security critical issues.
But we can discuss that further on https://github.com/bitcoin-core/bitcoincore.org

@paveljanik
Copy link
Contributor Author

paveljanik commented Nov 10, 2016

Yes, this discussion belongs there.

But... It would be nice to be able to encrypt such message inside the Bitcoin Core UI, using 1-of-n concept.

laanwj
laanwj reviewed Nov 10, 2016
View reviewed changes
.github/ISSUE_TEMPLATE.md Outdated
Copy link
Member

@laanwj laanwj Nov 10, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indeed. The discussion belongs there, and so does the documentation. Maybe refer to the instructions for reporting security issues on the contact page: https://bitcoincore.org/en/contact/ instead of mentioning the address directly?
If we then happen to have GPG set up, it can be mentioned there without having to put everything into this template.

Copy link
Contributor Author

@paveljanik paveljanik Nov 10, 2016
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wanted to do so first, but the URLs are fragile and can change. And when the separate "Report security issues" page happens at bitcoincore.org, we will have to change URL here. Mail will probably be the same.

Copy link
Member

@maflcko maflcko Nov 10, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think https://bitcoincore.org/en/contact/ will always be the page for contact, even if there is a subsection with a list of gpg keys.

Copy link
Contributor Author

@paveljanik paveljanik Nov 10, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How can you predict it will be a subsection? What if en-GB speakers will ask for en-GB and en-US page?

Copy link
Member

@laanwj laanwj Nov 10, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"I wanted to do so first, but the URLs are fragile and can change" so are email addresses.
It's not impossible to update this again, it just should be rare.

@paveljanik
Copy link
Contributor Author

paveljanik commented Nov 10, 2016

OK, OK ;-)

@fanquake
Copy link
Member

fanquake commented Nov 11, 2016

ACK 7d1de30

@laanwj laanwj merged commit 7d1de30 into bitcoin:master Nov 11, 2016
laanwj added a commit that referenced this pull request Nov 11, 2016
@laanwj
Merge #9115: Mention reporting security issues responsibly
bfc7aad 
7d1de30 Mention reporting security issues responsibly (Pavel Janík)
codablock pushed a commit to codablock/dash that referenced this pull request Jan 15, 2018
@laanwj @codablock
Merge bitcoin#9115: Mention reporting security issues responsibly
8b7eeb6 
7d1de30 Mention reporting security issues responsibly (Pavel Janík)
andvgal pushed a commit to energicryptocurrency/gen2-energi that referenced this pull request Jan 6, 2019
@laanwj @andvgal
Merge bitcoin#9115: Mention reporting security issues responsibly
e4147c7 
7d1de30 Mention reporting security issues responsibly (Pavel Janík)
CryptoCentric pushed a commit to absolute-community/absolute that referenced this pull request Feb 24, 2019
@laanwj @CryptoCentric
Merge bitcoin#9115: Mention reporting security issues responsibly
5af19de
@bitcoin bitcoin locked as resolved and limited conversation to collaborators Sep 8, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@laanwj laanwj laanwj left review comments

+1 more reviewer

@maflcko maflcko maflcko left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Docs

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@paveljanik @jonasschnelli @laanwj @fanquake @maflcko