[up-to-grabs] add a security.md (was #772) #1269
Description
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
[up-to-grabs] add a security.md re-#772
Now CVE-2025-27586 is out and the problem with "block signature overflow"
have been posted too, all the major lightning stuff that was still under
my sleeves should have been out now. It has been ~18 months since RCA full
disclosure, though now I can definitively transition out of lightning dev.
I still think it would be great for the project to have a security reporting
policy for all protocol-level vulnerabilities. I pray we have caught a lot
of the cross-layer vulnerabilities with the base-layer, though it's not something
we can never be sure off. #772 was a good start for basic policy e.g 2 people
per major implementation. I don't know if we nominate for this kind of role
to take responsibility from, but I think @t-bast or @cdecker are good names.
I was already out doing anything technically substantial on the lightning-side
since a while, though I'll also abstrain myself now to not investigate novel
lightning security stuff. After thinking a lot on this matter, and while I might
be one of the only dev taking deontology seriously, I think this can only be
a source of ethical issues due to the fact that CKC and myself have attended
the same 2019 chaincode residency. Based on my pre-bitcoin professional experience
and the sense of ethics hardly learnt there, I've always strictly and intentionally
kept her away from security info over the last 5 years to minimize the risks of
ethical issues to be sure I always preserve the objectivity of my judgement there
I'm starting to encroach on that boundary, and I shouldn't.
About ethics, the "apparence" matters too, and given I've already have to swept
that kind of situations for some vulns on the bitcoin core side due to a pair
of devs in 2021, I'm very mindful about that kind of situations. It will make
also more room for her, if she wishes to work on all parts of the LN stack.
For me slashing my LN career is no problem, I was already successful in my
pre-bitcoin technological career.
Do not blame, we didn't hire ourselves to the 2019 residency.
Antoine Louis Riard
0000000000000000000226739647ba400cce0aea29c462c71c31f00dc9dc4801
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEpaaGjXqpHdAKwaZ/gX/6Ao72HJQFAmhMiw0ACgkQgX/6Ao72
HJQjqxAAkWbASXGrOBm71JVVvfDG7+6kxcGFGL0jBX/kJeoI7AZPXWLTq4/C5nsA
WtBru/di3j1S0Z1WOp3sIw16kz2ekfQULkcVjVNLVDzXWQtFu3DFiopk5k2m6FDc
pAXhagSHTcqMGTyfBD6lXYweJiA7IwI/dqNpgVh8lU6U7IZYgYKX8BjFkebXiAwn
QAZBLu1U83ce5GavrId1u6J1FrLRJyKNnbZShDz/D9UjMIpvViZ+b8+4Steug2Wz
+I7YtTLetEOEok29wxxDRAKHs3dhsJE3lJzhY19hQu8V0DkGOZUfJBV5kBTvdj1H
ZNIYdmK2yDilVaGNJmswkuGeCYF+xVFArg3N0nn3lT/nqzyBktKEZAkeX1r/RqpE
UwtgnWbHq+J4tnMFbwDzuOASrkOTHaiftjzX1y3C8Jim1QV3Q+upOGQAjEJNvz8S
UIkb5z+Yn13g6a9fiwA3OVWYLub6c/ZihbfFa0pFG1zNQ39uFpXp8Bsa+yMrIgOd
IAh40a7EtFDIK7q1+GmsDJqFQ/Lim8yRo6Uc8qLisIlRHGiFn00eLB9qDw9S0XH/
7QSwuvBoE76eSSA61UfziJ8C101imZ0aOFafi/JAOZ6UvuTbdfW1Mn2MKS160RVO
lKnjEmrvice1smJixAINcuD+D2JsFfY62SA60c+Z53T4a7hKc58=
=x725
-----END PGP SIGNATURE-----