delvingbitcoin

Non-disclosure of a consensus bug in btcd

Non-disclosure of a consensus bug in btcd

Original Postby AntoineP

Posted on: October 4, 2024 10:01 UTC

The email discusses a perceived double standard in the security reporting norms between different bitcoin implementations, highlighting a specific case where there was pressure to disclose a security issue within a shorter timeline than requested.

The sender points out that if the issue had been with the bitcoind implementation, the response might have been more lenient, allowing for a delayed disclosure, which has been a practice among full node implementations for critical issues, sometimes extending beyond six months. This comparison raises questions about consistency and fairness in the handling of security disclosures across projects.

Furthermore, the correspondence touches on the interaction between the parties involved regarding the disclosure timeline. Despite initial agreement on a schedule, there was a late request to extend the disclosure period, which was ultimately denied by Niklas and AntoineP, leading to tensions. This refusal was based on not wanting to deviate from the initially agreed-upon schedule without a compelling reason, despite the btcd maintainers' preference for a delay to ensure a more cautious approach to disclosing the vulnerability after patching.

Additionally, the email mentions Bitcoin Core's establishment of a disclosure policy, suggesting that a similar situation—if presented to Bitcoin Core—would likely not have resulted in an adjusted timeline without substantial justification. The insistence on adhering to the predetermined disclosure timeline underscores the importance of clear communication and adherence to established protocols in managing security vulnerabilities, while also reflecting the complexities and challenges inherent in coordinating such disclosures across different teams and projects within the cryptocurrency ecosystem.