Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WIP] Add a SECURITY.md #772

Closed
wants to merge 1 commit into from

Conversation

ariard
Copy link

@ariard ariard commented May 7, 2020

After disclosure of mempool-congestion attacks, some people have pointed out it would be better to have some guidelines in case of future cross-implementation vulnerabilities like a spec wrong-doing or a first-layer breakage.

This is WIP proposal trying to laid out this more. Next step is obviously to gather people opinions during a meeting.

@cdecker
Copy link
Collaborator

cdecker commented May 11, 2020

We should probably follow the existing guidelines for responsible disclosures such as the ones outlined here: https://www.hackerone.com/blog/Vulnerability-Disclosure-Policy-Basics-5-Critical-Components

In addition we'll need to have some guidelines on how to triage the issue since this is not a single software project but more of an umbrella project that may have issues itself, but more likely should defer to the impacted implementations and their disclosure policy.

Copy link
Collaborator

@TheBlueMatt TheBlueMatt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In general, I think this is something best left to discloser<->implementation relationships. We should list links to disclosure policies of the various implementations here and note that any broad issues should involve discussion there.

* Be patient, people invovled are likely spread on a timezone different than yours or travelling without full access to their security PGP keys. However if you don't get any response after a week, please try to contact them via a different communication channel asking them to check their security mailbox.
* Keep in mind you're dealing with people money, and mistakes can lead to funds loss. Act with caution.

* XXX: (timeline and deployment, type of disclosure ?
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's between the project you're disclosing to and the discloser, not something general across implementations, no?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My concern is if we have a vulnerability common to all implementations due to a spec wrongdoing or anything else like this, we do want a clear disclosure path to avoid some implementation doing a partial disclosure and urgent upgrade and therefore attracting awareness on other ones.

Also, LN security model being a bit different that's worthy to have maybe longer timeline and some implementation may have different vendor policies. So for implementation A it would take 3 months to upgrade 90% of nodes when for implementation B it would take 6 months to reach same percentage.

@t-bast
Copy link
Collaborator

t-bast commented May 11, 2020

I think it depends, there are two layers there. Potential vulnerability in the spec itself need some kind of disclosure that makes sure all major implementations are aware of the issue (and it probably shouldn't be the security researcher's job to manage contacting each implementation separately).

For implementation-specific issues though, we should redirect to each project's SECURITY.md

@ariard
Copy link
Author

ariard commented May 25, 2020

I do think there are multiple issues that this SECURITY.md may try to address:

  • Process disclosure for spec issue or base layer affecting all implementations, i.e who to contact ?
  • Process disclosure for common vulnerability, i.e you may find something which is an implementation wrong-doing, like last CVE on utxo checking but you want to be sure that if a fix is deployed, other implementations aren't going to be affected too ?
  • Coordination if implementation have different release policies, we should pick the higher bound, while keeping in mind LN security model has higher requirements

@t-bast
Copy link
Collaborator

t-bast commented Oct 26, 2020

For eclair, it's security@acinq.fr with the following GPG key: C25A 288A 842E AF7A A5B5 303F 7A73 FE77 DE2C 4027
See https://github.com/ACINQ/eclair/blob/master/SECURITY.md

@Roasbeef
Copy link
Collaborator

Roasbeef commented Nov 9, 2020

@rustyrussell
Copy link
Collaborator

For c-lightning, we can use security@blockstream.com 1176 542D A98E 71E1 3372 2EF7 4AC8 CC88 6844 A2D6:

-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFv/XdQBEAC2iS1uQij2AJSnvQZxScnqf6v0db63QDbS6GjH5PndQ8cF0szv
YJYCFBigkzj4BkKxbJJlnfPW6Jl3SfzCGDvBW3IYuB3S10InDqJFYcM1ZemWCGAs
HA48NDfB4AIBIFH09H4dUE/J6yAdhX/+Qa/bjOhiwrCFVE2pVtMN8aTFnaLzxCP+
fWZUaPrPv84B7uxEdLM77wIhsN+16FAr1qS42NfKDDolBAs//Bmv5fkNC7lzAVCf
MA/QEcNlAvButPrNyZU3t25maUv5hhKUDdJ2G/iACf8tVgp+ygmD8NHQMLPSaFqa
O5wy77Fd5OyX3Gii/E8MtPEsePViwecwJqc/3UXBx7zTRou2gxLikVFTnJb+Jit9
F2kcljhCjHGxsuhf4Zr6zu+RTHHDgdBmpt4t1HA2jft/40r+uWQjL/rNP+01HgZj
4OLHkSI5VfJsXRn1EqOGpBIzR56f0GaxA0jluQMfkE9PTMxg5+YbrGgdot3l7pQ3
+mqMu3aim2EYZZHTsMCRt4j4pRn5g4BZan+w7STfA7rIMJu/MjP3G4s+IFMPVRki
QLwktZSD+x2M9iIsOD4YVheMKtU6WRroFeCkXzIzLYwCuZ4ym/JFJMH+Keuyo254
5hcymw+ivmPP+xuuoP1npQioRH4RKpfDgskABv8+t5rteV4BtUIWL33A/wARAQAB
tDlCbG9ja3N0cmVhbSBTZWN1cml0eSBSZXBvcnRpbmcgPHNlY3VyaXR5QGJsb2Nr
c3RyZWFtLmNvbT6JAk4EEwEKADgWIQQRdlQtqY5x4TNyLvdKyMyIaESi1gUCW/9d
1AIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRBKyMyIaESi1lcQD/9HZmtP
XhKtwC92zTsT5Xqt/K4ckaiJRaUlHeFtfkHpTdXIUFIJjZ1w1JJAWLtRf58MY45U
5DAOOYQptoXiy4USZkIMH1uBtFSAvyCUXH5cDWK1347G5rUg6Ry8Cxe+wzXOlxfr
f/9Vs28z+awfIrvk50sj4QW+mMlS69VwuHUl5CJ+BtcqQWQO85ummQxQq8rMw7rD
AwkftqiMKz+YLw5/xECyiXDDdQr66kdkglbQGgiciS7HNo0SQ2XqTNcGZkRA3lmv
HYCchZpgr9qxfnLjgVddJB+iNTwFZ7AQ7ZBlYWvu5UIMweuEz+yB7WGbQZLOsRZ8
OaIPmZ150VX0sQYeXYhoFrraNW6obFqsSklnQbsfw6KsCaFvYhNZgHf177YlrAzq
puR53H1sOjOQq8pnbjyf4XLhAGMC65LydWtkQK77m46kOBZad9UGg2WKg/SY+3pF
WWdP7vlsR7oJyElEQfUwBsT16K/6kenyagQ6CzqnF/X+W7P1STndpBJp4lD0RfaD
v6UyqxPYhUuQ24jP5jm8+RtS+OGB00czY2cVSDgjYVuU80WsW+Qt0XtLKeoVYdCb
TaKgreicqbz0Afr9hbPIieW2wbQnYlRPjprTVhhGsxlaUb7Kcz7fapliJrKBFgy5
odUljZ+iSompuiYtFhVYA8e6sx0pRUGOopnkGLkCDQRb/13UARAA3WAlRv6DofgG
xu+L2ePZb1OCQTkn4Eq+24veGibPvlqFJivF1ebctUtxiKVsz0dXtWcAYk7Rh2I/
xsEGxIzhjr5VLVOdldM5AgJna6WPvOA4sPXjdy47R71NfEQfg9Svv93mmkpbJsL3
NuHxvpoeO4A9JrFfwn7WJevXOiUWdKJ+nn0ZPwjYle6i27OfIojyVmZVQEiHC/Il
LxQEYaNDalAorjnn0b7X7S3Z8pMAb8HqD0RTXXed9LPgbasARyND2I2xy1txUDPI
Qcq6tIbryGYlegEHuvsE31zRPoNjnXkwABb6qBkUUiZMbRJCYOQXSo7Z2tasKHIJ
I/FnIj8dmT/IXDb9KiWr8wziGLdgnZx3QZGt5P0LIMFKrfXMNJO7EmO1QMbgZFgk
JPhJ0o61PvMaVLMQVoxD6K7bKOzI2t4LTA0l5RxuMcadu8G13YzgVXX44Cac1qUn
xriMzk62HXdSeZozcO/IRN7Kdw2bB++5EVYTQN1EEhIymXVUrBg2pXvLSXalg+kp
0BhLVHcbTI51mKz8GY9NUShFI7ZEzxzzltcEA+F5TLrPMgT+tx+QvjDdGWIhWycI
KW53hjKiGolhpG9Kqo9ogtCO2a3r6JspO0z+54/EF5rS2LI13pqk0qNgoYMYqChe
XU8BJdZ9siCooQ+3o+Y/9TkQWSAwnWkAEQEAAYkCNgQYAQoAIBYhBBF2VC2pjnHh
M3Iu90rIzIhoRKLWBQJb/13UAhsMAAoJEErIzIhoRKLWGhoP/jFfwRrda1RNR6OY
NHOIa4x4PtjDuYwDYgI5X2NQXlglyOTWouKjY1eu7LRoQSS5blD7BA9GHhYRDBL/
0NQo/EQn3JFoitGWs07Bry0A4DTOz0H7wRqVXtN+Ck13QdEemq+suLE+PcbRJ4Ei
ANoNVgSRGqYO683oXEzGgzF+FXXPbcRTNHwvV8LgmUioe2cgHX3Q2PC3gUTmnNkq
IhWirlT5cQVSLS2IzsP903uq8VtHl7lXLkS6Ba3CmwLoHYfhurGQNR6Av2WPgL2D
oY8NOxPdz9QxBUzUVObiMm3UfD/eTF73NAmNJRDqYzpY/l54ZyxLFjlfXRpwKrx/
islwezx+2fzns5u4xwdywVHzvgsmbXMIDdNTaTS8BDaKbAopLmbmuTnnTbJXWFbb
mQ2/GHcB0mKuXDkzt+7JMQ0NHtrGC3qvEtnTXZGXr3uIhFDkJSOoaH68dqq5++pz
GtT+aiv3L120r0pSSyTgbPsrqSlWgXEuJ4uzt3j69J0Qek0YrL0EDxHdnGPW4+fv
AZiq1RFG8MHOy0Obahed5uqlzXCNtroHdgSQeR+6IkODSsEd+hVdXJs/hjcWLNG5
VNztar/H4BSwlhKbgvFivOzhj8x5TNoqMM95G8Ew/5idiT/YQgsA6lcwsEZ78t9O
lTHPj4G8vH5F/zIFb+uQNSlKzuH+
=8mAH
-----END PGP PUBLIC KEY BLOCK-----

@Roasbeef
Copy link
Collaborator

Roasbeef commented Nov 9, 2020

@SomberNight
Copy link
Contributor

@ariard
Copy link
Author

ariard commented May 29, 2023

I’m still very interested in Lightning security flaws, though this is not my responsibility if they’re not shared and fixed across the ecosystem.

@ariard ariard closed this May 29, 2023
@ariard
Copy link
Author

ariard commented Jun 5, 2023

I’m still very interested in Lightning security flaws, though this is not my responsibility if they’re not shared and fixed across the ecosystem.

While this is the responsibility of each Lightning implementation to have a security incident response to fix implementation-specific flaws, I think this is still valuable to a security incident response at the spec-process, as experience has revealed you have common flaws shared between implementations due to lack of documentation of the spec (CVE-2019-12998, CVE-2019-12999 and CVE-2019-13000 on missing checks of confirmed funding UTXOs).

Beyond, a reliable communication channel is very valuable in case of cross-layer security flaws, e.g in the future in case of issues with the nversion=3 policy signaling mechanism preventing the propagation of time-sensitive LN transactions across the transaction-relay network on the base-layer. In this hypothetical security incident, we’ll need coordination not only between Lightning implementation maintenance team though potentially with full-nodes maintenance team like Bitcoin Core or btcd.

I’ll propose a documented communication channel for security incident response coordination across the Lightning ecosystem soon.

@ariard ariard reopened this Jun 5, 2023
@ariard
Copy link
Author

ariard commented Oct 20, 2023

See corresponding mail on the ml.

@ariard ariard closed this Oct 20, 2023
@ariard ariard reopened this Oct 22, 2023
@ariard
Copy link
Author

ariard commented Oct 22, 2023

will stay at least at least for doing transition with younger generation of devs for few more months. still aiming to focus back on base layer solving sec issues where they should be solved. see mail.

@ariard
Copy link
Author

ariard commented Dec 23, 2023

closing it for good. t-bast or lisa have my trust to handle ln security coordination in the future.

matt, laolu and rusty are medium standard on this regard from my 4 years of experience working with them.

@ariard ariard closed this Dec 23, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants