Skip to content

docs: update security vulnerability reporting guidance#352

Open
mdan5678-dotcom wants to merge 1 commit into
BitgesellOfficial:masterfrom
mdan5678-dotcom:bounty-hunter/bitgesell-security-policy-docs
Open

docs: update security vulnerability reporting guidance#352
mdan5678-dotcom wants to merge 1 commit into
BitgesellOfficial:masterfrom
mdan5678-dotcom:bounty-hunter/bitgesell-security-policy-docs

Conversation

@mdan5678-dotcom

Copy link
Copy Markdown

Summary

This updates SECURITY.md to remove stale Bitcoin Core vulnerability reporting details and replace them with Bitgesell-appropriate security reporting guidance.

Why

The existing security policy points reporters to security@bitcoincore.org and lists Bitcoin Core developer PGP keys, which are not appropriate reporting contacts for this repository.

Changes

  • Ask reporters not to disclose vulnerabilities in public GitHub issues.
  • Recommend GitHub private vulnerability reporting when available.
  • Direct reporters to official Bitgesell project channels when private reporting is unavailable.
  • Add a short checklist of useful vulnerability report details.

Testing

Documentation-only change.

@MyTH-zyxeon

Copy link
Copy Markdown

Review-assist / deconfliction note for maintainers on #352:

I checked this against the existing security-policy PR queue. Current visible state: OPEN / MERGEABLE / mergeStateStatus=CLEAN at head e670d652732558b4547a7fbbdb111e1c3bc49c57, no visible comments/reviews/checks, and a one-file SECURITY.md docs-only diff (+16/-10).

This overlaps heavily with #226, which already removes the inherited Bitcoin Core security email and developer PGP keys, points reporters away from public issues, and gives private vulnerability reporting / official website fallback guidance.

Main maintainer decision before merging either one:

No code, wallet/RPC, consensus, live-chain, claim, or payment action from me here; this is queue triage to avoid duplicate review effort.

@mdan5678-dotcom

Copy link
Copy Markdown
Author

Thanks for the review-assist note. That makes sense.

My intent with #352 was to remove stale inherited Bitcoin Core security reporting guidance and make the Bitgesell vulnerability reporting instructions clearer.

I understand there may be overlap with #226. I do not want to create duplicate review work.

If maintainers prefer #226 as the primary security-policy cleanup path, I am happy to rework #352 into a narrower checklist-only follow-up, or otherwise adjust based on maintainer direction.

I will wait for maintainer guidance before making further changes.

@MyTH-zyxeon

Copy link
Copy Markdown

Thanks for clarifying. From a maintainer-triage standpoint, that leaves a clean path:

I would still keep #226/#352 on the same security-policy bounty lane until a maintainer chooses which one should be canonical, so there is no duplicate payout/review queue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants