Skip to content

Commit

Permalink
Merge #679: Add SECURITY.md
Browse files Browse the repository at this point in the history
78c3836 Add SECURITY.md (Jonas Nick)

Pull request description:

  Fixes #646

  WIP because the secp256k1-security@bitcoincore.org email address doesn't exist yet. But it seems like the right place for vulnerability reports. security@bitcoincore.org would have the downside that it perhaps reaches more people than necessary. Ideally secp256k1-security would just forward to the three maintainers listed in SECURITY.md. @sipa @apoelstra is it okay to put you there? Fwiw I'm opting out for now because three people should be enough.

  @sipa do you know who to talk to about adding secp256k1-security@bitcoincore.org and the specifics about how it would work?

ACKs for top commit:
  real-or-random:
    ACK 78c3836 I looked at the diff and verified my fingerprint

Tree-SHA512: 53a989615665cf8cf0c6a70d3bc2c4b71b68178cae40b2a7881aa9eba24732d126ba1e258a9fc127c69b47bb3025943097300cfcbbe18736cbf92ff4f3a901e0
  • Loading branch information
jonasnick committed Nov 26, 2019
2 parents 0db61d2 + 78c3836 commit 387d723
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 0 deletions.
5 changes: 5 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -71,3 +71,8 @@ Exhaustive tests
With valgrind, you might need to increase the max stack size:

$ valgrind --max-stackframe=2500000 ./exhaustive_tests

Reporting a vulnerability
------------

See [SECURITY.md](SECURITY.md)
15 changes: 15 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
# Security Policy

## Reporting a Vulnerability

To report security issues send an email to secp256k1-security@bitcoincore.org (not for support).

The following keys may be used to communicate sensitive information to developers:

| Name | Fingerprint |
|------|-------------|
| Pieter Wuille | 133E AC17 9436 F14A 5CF1 B794 860F EB80 4E66 9320 |
| Andrew Poelstra | 699A 63EF C17A D3A9 A34C FFC0 7AD0 A91C 40BD 0091 |
| Tim Ruffing | 09E0 3F87 1092 E40E 106E 902B 33BC 86AB 80FF 5516 |

You can import a key by running the following command with that individual’s fingerprint: `gpg --recv-keys "<fingerprint>"` Ensure that you put quotes around fingerprints containing spaces.

0 comments on commit 387d723

Please sign in to comment.