Responsible Disclosure

Bitcoin requires a secure environment and we the MultiBit development team do our best to ensure that MultiBit HD provides as much security as we can given the limitations of a desktop environment. In addition to our own investigations, we welcome input by security researchers within the community to help us identify vulnerabilities that exist in our software.

This article explains how security researchers should responsibly disclose vulnerabilities within MultiBit HD and what they can expect from us during the process.

I'm a security researcher and I've found a flaw - where do I start ?

We prefer security vulnerabilities to be disclosed through a secure channel which generally means GPG encryption. KeepKey's public key can be found at 0x03B9D240A3606A58.

The description should be detailed enough to convince us that the flaw exists and is a real threat out in the field (1000 words is a good length). If you can provide a working example (with comments) of the vulnerability being exploited that will help us to fix it faster.

How can I contact you ?

You can use the links in the Bitcoin Resources page to locate the MultiBit development team and open communications through email as a starting point (you can use a temporary email address if you prefer). Alternatives include private messages on Twitter (MultiBitOrg).

We can then switch to an alternative communication form if it is mutually acceptable and convenient.

Can I remain anonymous ?

Yes. We won't make any attempt to identify you and we will operate under the terms of our privacy policy. Feel free to use a disposable email address.

I'm happy to maintain an encrypted dialogue over email. What happens next ?

After we've assessed the vulnerability, we will assign it a severity (high, medium or low) which will determine how rapidly we will address the problem and issue a fix. As a guide, high would mean it gets into the next release, low may never see the light of day.

When can I go public ?

We'd prefer it if you were able to hold off going public on the vulnerability until we have a fix rolled out into the field and seen considerable uptake. Depending on the severity this could range from a week to a couple of months. We will keep you informed of progress along the way so you can be assured that we are being open about the situation.

You are, of course, free to ignore this preference and proceed on your own timetable. We would resist rushing out a fix in response to your early disclosure since this would likely reduce the chances of a successful mitigation and possibly put our users at greater risk.

How will you disclose the vulnerability ?

When we make the vulnerability public we will normally do so via our blog. This will be accompanied by announcements on social media such as Twitter, Reddit and Bitcointalk. We will answer people's questions in the forums where possible. We would aim to release an article a few weeks after the vulnerability has been fixed to allow time for the fix to disseminate through the community.

What about attribution or a guest article ?

We welcome guest articles and we will give full attribution (or anonymity if preferred). We reserve the right to make edits to ensure the article is suitable for the MultiBit audience and you will be included at each iteration. Typically these iterations will be conducted through a secure channel.

What about a "bug bounty" ?

At present we are not in a position to offer a financial reward for assisting us with security vulnerabilities. Attribution on a high traffic website is all we can offer along with our gratitude.