delvingbitcoin
Non-disclosure of a consensus bug in btcd
Posted on: October 3, 2024 20:00 UTC
The email discusses a significant disagreement regarding the timing of security disclosure between the maintainers of btcd
and individuals named Niklas and AntoineP.
The core issue centers around the desired delay before publicly disclosing a patched security vulnerability. The maintainers of btcd
proposed a 6-month period between the implementation of a patch and its public disclosure, aiming to follow a precedent set by other full node implementations, which often extend well beyond a 6-month timeframe for disclosing critical issues. This approach is underscored by examples from past disclosures, as highlighted in the provided Bitcoin Core security advisories. Contrary to this cautious approach, Niklas and AntoineP opted for an earlier disclosure, choosing not to adhere to the additional 3-month extension requested by the btcd
team. This decision to disclose only 3 months after patching, rather than the 6 months preferred by the btcd
maintainers, marked a significant point of contention, reflecting differing perspectives on the balance between transparency and security in the context of critical software vulnerabilities.