docs: update security vulnerability reporting guidance#352
Conversation
|
Review-assist / deconfliction note for maintainers on #352: I checked this against the existing security-policy PR queue. Current visible state: This overlaps heavily with #226, which already removes the inherited Bitcoin Core security email and developer PGP keys, points reporters away from public issues, and gives private vulnerability reporting / official website fallback guidance. Main maintainer decision before merging either one:
No code, wallet/RPC, consensus, live-chain, claim, or payment action from me here; this is queue triage to avoid duplicate review effort. |
|
Thanks for the review-assist note. That makes sense. My intent with #352 was to remove stale inherited Bitcoin Core security reporting guidance and make the Bitgesell vulnerability reporting instructions clearer. I understand there may be overlap with #226. I do not want to create duplicate review work. If maintainers prefer #226 as the primary security-policy cleanup path, I am happy to rework #352 into a narrower checklist-only follow-up, or otherwise adjust based on maintainer direction. I will wait for maintainer guidance before making further changes. |
|
Thanks for clarifying. From a maintainer-triage standpoint, that leaves a clean path:
I would still keep #226/#352 on the same security-policy bounty lane until a maintainer chooses which one should be canonical, so there is no duplicate payout/review queue. |
Summary
This updates
SECURITY.mdto remove stale Bitcoin Core vulnerability reporting details and replace them with Bitgesell-appropriate security reporting guidance.Why
The existing security policy points reporters to
security@bitcoincore.organd lists Bitcoin Core developer PGP keys, which are not appropriate reporting contacts for this repository.Changes
Testing
Documentation-only change.